Apply Paul Gear's patch for Ubuntu 16.04

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Fix link
2016-05-02 07:26:10 -07:00 · 2016-05-01 10:44:12 -07:00 · 2016-05-01 10:44:01 -07:00 · 2016-04-28 16:42:52 -07:00 · 2016-04-28 16:42:32 -07:00 · 2016-04-25 16:09:10 -07:00
106 changed files with 4394 additions and 3046 deletions
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -339,7 +339,15 @@ show_classifiers() {
 #
 # Display blacklist chains
 #
+blacklist_filter() {
+    awk \
+	'BEGIN          { prnt=0; }; \
+        /^Members:/     { print "Dynamic:"; prnt=1; next; }; \
+                        { if (prnt == 1) print; };'
+}
+
 show_bl() {
+    [ -n "$g_blacklistipset" ] && ipset -L $g_blacklistipset | blacklist_filter && echo
    $g_tool -L $g_ipt_options | \
 	awk 'BEGIN           {prnt=0; };
            /^$/             {if (prnt == 1) print ""; prnt=0; };
@@ -922,23 +930,10 @@ show_events() {
 }

 show_actions() {
-    echo "A_ACCEPT                        # Audit and accept the connection"
-    echo "A_DROP                          # Audit and drop the connection"
-    echo "A_REJECT                        # Audit and reject the connection "
-    echo "allowBcast                      # Silently Allow Broadcast/multicast"
-    echo "allowInvalid                    # Accept packets that are in the INVALID conntrack state."
-    echo "allowinUPnP                     # Allow UPnP inbound (to firewall) traffic"
-    echo "allowoutUPnP                    # Allow traffic from local command 'upnpd' (does not work with kernels after 2.6.13)"
-    echo "dropBcast                       # Silently Drop Broadcast/multicast"
-    echo "dropInvalid                     # Silently Drop packets that are in the INVALID conntrack state"
-    echo "dropNotSyn                      # Silently Drop Non-syn TCP packets"
-    echo "forwardUPnP                     # Allow traffic that upnpd has redirected from"
-    echo "rejNotSyn                       # Silently Reject Non-syn TCP packets"
-
    if [ -f ${g_confdir}/actions ]; then
-	cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^\#|^$'
+	cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^[#?[:space:]]|^$'
    else
-	grep -Ev '^\#|^$' ${g_sharedir}/actions.std
+	grep -Ev '^[#?[:space:]]|^$' ${g_sharedir}/actions.std
    fi
 }

@@ -3457,6 +3452,29 @@ reject_command() {
    fi
 }

+blacklist_command() {
+    local family
+
+    [ $# -gt 0 ] || fatal_error "Missing address"
+
+    [ -z "$g_blacklistipset" ] && fatal_error "The blacklist command is not supported in the current $g_product configuration"
+
+    case ${IPSET:=ipset} in
+	*/*)
+	    if [ ! -x "$IPSET" ]; then
+		fatal_error "IPSET=$IPSET does not exist or is not executable"
+	    fi
+	    ;;
+	*)
+	    IPSET="$(mywhich $IPSET)"
+	    [ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
+	    ;;
+    esac
+
+    $IPSET -A $g_blacklistipset $@ || { error_message "ERROR: Address $1 not blacklisted"; return 1; }
+
+    return 0
+}
 save_command() {
    local finished
    finished=0
@@ -3806,6 +3824,38 @@ get_config() {
 	g_pager="| $g_pager"
     fi

+    if [ -n "$DYNAMIC_BLACKLIST" ]; then
+	case $DYNAMIC_BLACKLIST in
+	    [Nn]o)
+		DYNAMIC_BLACKLIST='';
+		;;
+	    [Yy]es)
+	        ;;
+	    ipset|ipset::*|ipset-only|ipset-only::*|ipset,src-dst|ipset-only,src-dst::*)
+		g_blacklistipset=SW_DBL$g_family
+		;;
+	    ipset:[a-zA-Z]*)
+		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset:}
+		g_blacklistipset=${g_blacklistipset%%:*}
+		;;
+	    ipset,src-dst:[a-zA-Z]*)
+		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset,src-dst:}
+		g_blacklistipset=${g_blacklistipset%%:*}
+		;;
+	    ipset-only:[a-zA-Z]*)
+		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only:}
+		g_blacklistipset=${g_blacklistipset%%:*}
+		;;
+	    ipset-only,src-dst:[a-zA-Z]*)
+		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only,src-dst:}
+		g_blacklistipset=${g_blacklistipset%%:*}
+		;;
+	    *)
+		fatal_error "Invalid value ($DYNAMIC_BLACKLIST) for DYNAMIC_BLACKLIST"
+		;;
+	esac
+    fi
+
    lib=$(find_file lib.cli-user)

    [ -f $lib ] && . $lib
@@ -3832,7 +3882,7 @@ start_command() {
 	    rc=$?
 	else
 	    error_message "${VARDIR}/firewall is missing or is not executable"
-	    logger -p kern.err "ERROR:$g_product start failed"
+	    mylogger kern.err "ERROR:$g_product start failed"
 	    rc=6
 	fi

@@ -3965,7 +4015,7 @@ restart_command() {
 	rc=$?
    else
 	error_message "${VARDIR}/firewall is missing or is not executable"
-	logger -p kern.err "ERROR:$g_product $COMMAND failed"
+	mylogger kern.err "ERROR:$g_product $COMMAND failed"
 	rc=6
    fi

@@ -3996,6 +4046,7 @@ usage() # $1 = exit status
    echo "where <command> is one of:"
    echo "   add <interface>[:<host-list>] ... <zone>"
    echo "   allow <address> ..."
+    echo "   blacklist <address> [ <option> ... ]"
    ecko "   [ check | ck ] [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ -i ] [ <directory> ]"
    echo "   clear"
    ecko "   [ compile | co ] [ -e ] [ -p ] [ -t ] [ -c ] [ -d ] [ -T ] [ -i ] [ <directory name> ] [ <path name> ]"
@@ -4147,6 +4198,7 @@ shorewall_cli() {
    g_loopback=
    g_compiled=
    g_pager=
+    g_blacklistipset=

    VERBOSE=
    VERBOSITY=1
@@ -4338,6 +4390,13 @@ shorewall_cli() {
 		fatal_error "$g_product is not running"
 	    fi
 	    ;;
+	blacklist)
+	    get_config Yes
+	    shift
+	    [ -n "$g_nolock" ] || mutex_on
+	    blacklist_command $@
+	    [ -n "$g_nolock" ] || mutex_off
+	    ;;
 	run)
 	    [ $# -gt 1 ] || fatal_error "Missing function name"
 	    get_config Yes
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -25,6 +25,22 @@
 # scripts rather than loaded at run-time.
 #
 #########################################################################################
+#
+# Wrapper around logger that sets the tag according to $SW_LOGGERTAG
+#
+mylogger() {
+    local level
+
+    level=$1
+    shift
+
+    if [ -n "$SW_LOGGERTAG" ]; then
+	logger -p $level -t "$SW_LOGGERTAG" $*
+    else
+	logger -p $level $*
+    fi
+}
+
 #
 # Issue a message and stop
 #
@@ -33,24 +49,24 @@ startup_error() # $* = Error Message
    echo "   ERROR: $@: Firewall state not changed" >&2

    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%b %d %T') "
+        timestamp="$(date +'%b %e %T') "
        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
    fi

    case $COMMAND in
        start)
-	    logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
+	    mylogger kern.err "ERROR:$g_product start failed:Firewall state not changed"
 	    ;;
 	restart)
-	    logger -p kern.err "ERROR:$g_product restart failed:Firewall state not changed"
+	    mylogger kern.err "ERROR:$g_product restart failed:Firewall state not changed"
 	    ;;
 	restore)
-	    logger -p kern.err "ERROR:$g_product restore failed:Firewall state not changed"
+	    mylogger kern.err "ERROR:$g_product restore failed:Firewall state not changed"
 	    ;;
    esac

    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%b %d %T') "
+        timestamp="$(date +'%b %e %T') "

 	case $COMMAND in
 	    start)
--- a/Shorewall-core/uninstall.sh
+++ b/Shorewall-core/uninstall.sh
@@ -117,6 +117,7 @@ fi
 echo "Uninstalling Shorewall Core $VERSION"

 rm -rf ${SHAREDIR}/shorewall
+rm -f ~/.shorewallrc

 echo "Shorewall Core Uninstalled"

--- a/Shorewall-init/README.txt
+++ b/Shorewall-init/README.txt
@@ -1 +0,0 @@
-This is the Shorewall-init stable 4.4 branch of Git.
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -572,9 +572,9 @@ if [ -z "$DESTDIR" ]; then
 		    cant_autostart
 		fi
 	    elif [ $HOST = openwrt -a -f ${CONFDIR}/rc.common ]; then
-		/etc/init.d/shorewall-inir enable
+		/etc/init.d/$PRODUCT enable
 		if /etc/init.d/shorewall-init enabled; then
-		    echo "Shorrewall Init will start automatically at boot"
+		    echo "$Product will start automatically at boot"
 		else
 		    cant_autostart
 		fi
--- a/Shorewall-lite/README.txt
+++ b/Shorewall-lite/README.txt
@@ -1 +0,0 @@
-This is the Shorewall-lite stable 4.4 branch of Git.
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -495,7 +495,7 @@ done
 # Install the Man Pages
 #

-if [ -d manpages ]; then
+if [ -d manpages -a -n "$MANDIR" ]; then
    cd manpages

    mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/
--- a/Shorewall-lite/manpages/shorewall-lite.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.xml
@@ -47,6 +47,19 @@
      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>

+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>blacklist</option></arg>
+
+      <arg choice="plain"><replaceable>address</replaceable></arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall-lite</command>

@@ -693,6 +706,25 @@
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">blacklist</emphasis>
+        <replaceable>address</replaceable> [ <replaceable>option</replaceable>
+        ... ]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.8 and requires
+          DYNAMIC_BLACKLIST=ipset.. in <ulink
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).
+          Causes packets from the given host or network
+          <replaceable>address</replaceable> to be dropped, based on the
+          setting of BLACKLIST in <ulink
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). The
+          <replaceable>address</replaceable> along with any
+          <replaceable>option</replaceable>s are passed to the <command>ipset
+          add</command> command.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">call <replaceable>function</replaceable> [
        <replaceable>parameter</replaceable> ... ]</emphasis></term>
@@ -1553,6 +1585,34 @@
    started.</para>
  </refsect1>

+  <refsect1>
+    <title>ENVIRONMENT</title>
+
+    <para>Two environmental variables are recognized by Shorewall-lite:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term>SHOREWALL_INIT_SCRIPT</term>
+
+        <listitem>
+          <para>When set to 1, causes Std out to be redirected to the file
+          specified in the STARTUP_LOG option in <ulink
+          url="shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>SW_LOGGERTAG</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.8. When set to a non-empty value, that
+          value is passed to the logger utility in its -t (--tag)
+          option.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
  <refsect1>
    <title>FILES</title>

--- a/Shorewall/Macros/macro.RedisCluster
+++ b/Shorewall/Macros/macro.RedisCluster
@@ -0,0 +1,9 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.RedisCluster
+#
+# This macro handles Redis Cluster traffic.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+PARAM	-	-	tcp	16379
--- a/Shorewall/Macros/macro.RedisSentinel
+++ b/Shorewall/Macros/macro.RedisSentinel
@@ -0,0 +1,9 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.RedisSentinel
+#
+# This macro handles Redis Sentinel traffic.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+PARAM	-	-	tcp	26379
--- a/Shorewall/Macros/macro.SNMPTrap.deprecated
+++ b/Shorewall/Macros/macro.SNMPTrap.deprecated
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -59,21 +59,21 @@ our $acctable;
 #

 use constant {
-	      LEGACY      => 0,
-	      PREROUTING  => 1,
-	      INPUT       => 2,
-	      OUTPUT      => 3,
-	      FORWARD     => 4,
-	      POSTROUTING => 5
+	      LEGACY_SECTION      => 0,
+	      PREROUTING_SECTION  => 1,
+	      INPUT_SECTION       => 2,
+	      OUTPUT_SECTION      => 3,
+	      FORWARD_SECTION     => 4,
+	      POSTROUTING_SECTION => 5
 	  };
 #
 # Map names to values
 #
-our %asections = ( PREROUTING  => PREROUTING,
-		   INPUT       => INPUT,
-		   FORWARD     => FORWARD,
-		   OUTPUT      => OUTPUT,
-		   POSTROUTING => POSTROUTING
+our %asections = ( PREROUTING  => PREROUTING_SECTION,
+		   INPUT       => INPUT_SECTION,
+		   FORWARD     => FORWARD_SECTION,
+		   OUTPUT      => OUTPUT_SECTION,
+		   POSTROUTING => POSTROUTING_SECTION
 		 );

 #
@@ -157,7 +157,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {

    $jumpchainref = 0;

-    $asection = LEGACY if $asection < 0;
+    $asection = LEGACY_SECTION if $asection < 0;

    our $disposition = '';

--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -138,6 +138,17 @@ our %EXPORT_TAGS = (
 				       ALL_COMMANDS
 				       NOT_RESTORE

+				       PREROUTING
+				       INPUT
+				       FORWARD
+				       OUTPUT
+				       POSTROUTING
+				       ALLCHAINS
+				       STICKY
+				       STICKO
+				       REALPREROUTING
+				       ACTIONCHAIN
+
 				       unreachable_warning
 				       state_match
 				       state_imatch
@@ -188,6 +199,7 @@ our %EXPORT_TAGS = (
 				       ensure_raw_chain
 				       ensure_rawpost_chain
 				       new_standard_chain
+				       new_action_chain
 				       new_builtin_chain
 				       new_nat_chain
 				       optimize_chain
@@ -267,6 +279,7 @@ our %EXPORT_TAGS = (
 				       save_docker_rules
 				       load_ipsets
 				       create_save_ipsets
+				       create_load_ipsets
 				       validate_nfobject
 				       create_nfobjects
 				       create_netfilter_load
@@ -274,6 +287,7 @@ our %EXPORT_TAGS = (
 				       create_chainlist_reload
 				       create_stop_load
 				       initialize_switches
+				       terminating
 				       %targets
 				       %builtin_target
 				       %dscpmap
@@ -325,6 +339,10 @@ our $VERSION = 'MODULEVERSION';
 #                                               complete     => The last rule in the chain is a -g or a simple -j to a terminating target
 #                                                               Suppresses adding additional rules to the chain end of the chain
 #                                               sections     => { <section> = 1, ... } - Records sections that have been completed.
+#                                               chainnumber  => Numeric enumeration of the builtin chains (mangle table only).
+#                                               allowedchains
+#                                                            => Mangle action chains only -- specifies the set of builtin chains where
+#                                                               this action may be used.
 #                                             } ,
 #                                <chain2> => ...
 #                              }
@@ -456,6 +474,22 @@ use constant { NO_RESTRICT         => 0,   # FORWARD chain rule     - Both -i an
 	       ALL_RESTRICT        => 12,  # fw->fw rule            - neither -i nor -o allowed
 	       DESTIFACE_DISALLOW  => 32,  # Don't allow dest interface. Similar to INPUT_RESTRICT but generates a more relevant error message
 	       };
+#
+# Mangle Table allowed chains enumeration
+#
+use constant {
+    PREROUTING     => 1,        #Actually tcpre
+    INPUT          => 2,        #Actually tcin
+    FORWARD        => 4,        #Actually tcfor
+    OUTPUT         => 8,        #Actually tcout
+    POSTROUTING    => 16,       #Actually tcpost
+    ALLCHAINS      => 31,
+    STICKY         => 32,
+    STICKO         => 64,
+    REALPREROUTING => 128,
+    ACTIONCHAIN    => 256,
+};
+
 #
 # Possible IPSET options
 #
@@ -587,7 +621,7 @@ our %builtin_target = ( ACCEPT      => STANDARD + FILTER_TABLE + NAT_TABLE + MAN
 			RAWDNAT     => STANDARD                                           + RAW_TABLE,
 			RAWSNAT     => STANDARD                                           + RAW_TABLE,
 			REDIRECT    => STANDARD                + NAT_TABLE,
-			REJECT      => STANDARD + FILTER_TABLE,
+			REJECT      => STANDARD + FILTER_TABLE + OPTIONS,
 			RETURN      => STANDARD                            + MANGLE_TABLE + RAW_TABLE,
 			SAME        => STANDARD,
 			SECMARK     => STANDARD                            + MANGLE_TABLE,
@@ -615,7 +649,7 @@ our %ipset_exists;
 #                    => CMD_MODE if the rule contains a shell command or if it
 #                                part of a loop or conditional block. If it is a
 #                                shell command, the text of the command is in
-#                                the cmd
+#                                the cmd member
 #         cmd        => Shell command, if mode == CMD_MODE and cmdlevel == 0
 #         cmdlevel   => nesting level within loops and conditional blocks.
 #                       determines indentation
@@ -776,14 +810,13 @@ sub initialize( $$$ ) {
 		     NETMAP       => 1,
 		     NFQUEUE      => 1,
 		     NOTRACK      => 1,
-		     REDIRECT     => 1,
 		     RAWDNAT      => 1,
+		     REDIRECT     => 1,
 		     RAWSNAT      => 1,
 		     REJECT       => 1,
 		     SAME         => 1,
 		     SNAT         => 1,
 		     TPROXY       => 1,
-		     reject       => 1,
 		   );
    #
    # The chain table is initialized via a call to initialize_chain_table() after the configuration and capabilities have been determined.
@@ -810,6 +843,24 @@ sub make_terminating( $ ) {
    $terminating{$_[0]} = 1;
 }

+#
+# Determine if a chain is terminating
+#
+sub terminating( $ ) {
+    my ( $chainref ) = @_;
+
+    return $chainref->{complete} && ! ( $chainref->{optflags} & RETURNS );
+}
+
+sub is_terminating( $$ ) {
+    my ( $table, $target ) = @_;
+
+    if ( my $chainref = $chain_table{$table}{$target} ) {
+	terminating( $chainref );
+    } else {
+	$terminating{$target};
+    }
+}
 #
 # Transform the passed iptables rule into an internal-form hash reference.
 # Most of the compiler has been converted to use the new form natively.
@@ -904,7 +955,7 @@ sub set_rule_option( $$$ ) {
 	    #
 	    # Shorewall::Rules::perl_action_tcp_helper() can produce rules that have two -p specifications.
 	    # The first will have a modifier like '! --syn' while the second will not.  We want to retain
-	    # the first while 
+	    # the first one.
 	    if ( $option eq 'p' ) {
 		my ( $proto ) = split( ' ', $ruleref->{p} );
 		return if $proto eq $value;
@@ -1277,6 +1328,8 @@ sub push_rule( $$ ) {
    my $complete = 0;
    my $ruleref  = transform_rule( $_[1], $complete );

+    fatal_error "Chain $chainref->{name} jumps to itself" if ( $ruleref->{target} || '' ) eq $chainref->{name};
+
    set_irule_comment( $chainref, $ruleref );

    $ruleref->{mode}    = CMD_MODE if $ruleref->{cmdlevel} = $chainref->{cmdlevel};
@@ -1507,6 +1560,7 @@ sub create_irule( $$$;@ ) {
 	$ruleref->{jump}       = $jump;
 	$ruleref->{target}     = $target;
 	$chainref->{optflags} |= RETURNS_DONT_MOVE if $target eq 'RETURN';
+	$chainref->{complete} ||= ( ! @matches && ( $jump eq 'g' || is_terminating( $chainref->{table}, $target ) ) );
 	$ruleref->{targetopts} = $targetopts if $targetopts;
    } else {
 	$ruleref->{target} = '';
@@ -1998,7 +2052,7 @@ sub chain_base( $ ) {
 sub forward_chain($)
 {
    my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_fwd';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_fwd';
 }

 #
@@ -2053,7 +2107,7 @@ sub use_forward_chain($$) {
 #
 sub input_option_chain($) {
    my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_iop';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_iop';
 }

 #
@@ -2061,7 +2115,7 @@ sub input_option_chain($) {
 #
 sub output_option_chain($) {
    my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_oop';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_oop';
 }

 #
@@ -2069,7 +2123,7 @@ sub output_option_chain($) {
 #
 sub forward_option_chain($) {
    my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_fop';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_fop';
 }

 #
@@ -2078,7 +2132,7 @@ sub forward_option_chain($) {
 sub input_chain($)
 {
    my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_in';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_in';
 }

 #
@@ -2141,7 +2195,7 @@ sub use_input_chain($$) {
 sub output_chain($)
 {
    my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_out';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_out';
 }

 #
@@ -2150,7 +2204,7 @@ sub output_chain($)
 sub prerouting_chain($)
 {
    my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_pre';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_pre';
 }

 #
@@ -2159,7 +2213,7 @@ sub prerouting_chain($)
 sub postrouting_chain($)
 {
    my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_post';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_post';
 }

 #
@@ -2212,7 +2266,7 @@ sub use_output_chain($$) {
 sub masq_chain($)
 {
    my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_masq';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_masq';
 }

 #
@@ -2228,7 +2282,7 @@ sub syn_flood_chain ( $ ) {
 sub mac_chain( $ )
 {
    my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_mac';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_mac';
 }

 sub macrecent_target($)
@@ -2265,7 +2319,7 @@ sub load_chain( $ ) {
 sub snat_chain( $ )
 {
    my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_snat';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_snat';
 }

 #
@@ -2274,7 +2328,7 @@ sub snat_chain( $ )
 sub ecn_chain( $ )
 {
    my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_ecn';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_ecn';
 }

 #
@@ -2325,6 +2379,7 @@ sub new_chain($$)
 		     filtered       => 0,
 		     optflags       => 0,
 		     origin         => shortlineinfo( '' ),
+		     restriction    => NO_RESTRICT,
 		   };

    trace( $chainref, 'N', undef, '' ) if $debug;
@@ -2452,7 +2507,7 @@ sub add_ijump_internal( $$$$$;@ ) {
    }

    if ( $ruleref->{simple} ) {
-	$fromref->{complete} = 1 if $jump eq 'g' || $terminating{$to};
+	$fromref->{complete} = 1 if $jump eq 'g' || ( $toref ? terminating( $toref ) : $terminating{$to} );
    }

    $ruleref->{origin} = $origin if $origin;
@@ -2738,6 +2793,13 @@ sub new_standard_chain($) {
    $chainref;
 }

+sub new_action_chain($$) {
+    my $chainref = &new_chain( @_ );
+    $chainref->{referenced} = 1;
+    $chainref->{allowedchains} = ALLCHAINS | REALPREROUTING | ACTIONCHAIN;
+    $chainref;
+}
+
 sub new_nat_chain($) {
    my $chainref = new_chain 'nat' ,$_[0];
    $chainref->{referenced} = 1;
@@ -2868,40 +2930,40 @@ sub initialize_chain_table($) {
 	%targets = ('ACCEPT'          => STANDARD,
 		    'ACCEPT+'         => STANDARD  + NONAT,
 		    'ACCEPT!'         => STANDARD,
+		    'ADD'             => STANDARD + SET,
+		    'AUDIT'           => STANDARD  + AUDIT + OPTIONS,
 		    'A_ACCEPT'        => STANDARD  + AUDIT,
 		    'A_ACCEPT+'       => STANDARD  + NONAT + AUDIT,
 		    'A_ACCEPT!'       => STANDARD  + AUDIT,
-		    'NONAT'           => STANDARD  + NONAT + NATONLY,
-		    'AUDIT'           => STANDARD  + AUDIT + OPTIONS,
-		    'DROP'            => STANDARD,
-		    'DROP!'           => STANDARD,
 		    'A_DROP'          => STANDARD + AUDIT,
 		    'A_DROP!'         => STANDARD + AUDIT,
-		    'REJECT'          => STANDARD + OPTIONS,
-		    'REJECT!'         => STANDARD + OPTIONS,
-		    'A_REJECT'        => STANDARD + AUDIT,
-		    'A_REJECT!'       => STANDARD + AUDIT,
-		    'DNAT'            => NATRULE  + OPTIONS,
-		    'DNAT-'           => NATRULE  + NATONLY,
-		    'REDIRECT'        => NATRULE  + REDIRECT + OPTIONS,
-		    'REDIRECT-'       => NATRULE  + REDIRECT + NATONLY,
-		    'LOG'             => STANDARD + LOGRULE  + OPTIONS,
+		    'NONAT'           => STANDARD + NONAT  + NATONLY,
+		    'CONNMARK'        => STANDARD + OPTIONS,
 		    'CONTINUE'        => STANDARD,
 		    'CONTINUE!'       => STANDARD,
 		    'COUNT'           => STANDARD,
-		    'QUEUE'           => STANDARD + OPTIONS,
-		    'QUEUE!'          => STANDARD,
-		    'NFLOG'           => STANDARD + LOGRULE + NFLOG + OPTIONS,
-		    'NFQUEUE'         => STANDARD + NFQ + OPTIONS,
-		    'NFQUEUE!'        => STANDARD + NFQ,
-		    'ULOG'            => STANDARD + LOGRULE + NFLOG + OPTIONS,
-		    'ADD'             => STANDARD + SET,
 		    'DEL'             => STANDARD + SET,
-		    'WHITELIST'       => STANDARD,
+		    'DNAT'            => NATRULE  + OPTIONS,
+		    'DNAT-'           => NATRULE  + NATONLY,
+		    'DROP'            => STANDARD,
+		    'DROP!'           => STANDARD,
 		    'HELPER'          => STANDARD + HELPER + NATONLY, #Actually RAWONLY
 		    'INLINE'          => INLINERULE,
 		    'IPTABLES'        => IPTABLES,
+		    'LOG'             => STANDARD + LOGRULE  + OPTIONS,
+		    'MARK'            => STANDARD + OPTIONS,
+		    'NFLOG'           => STANDARD + LOGRULE + NFLOG + OPTIONS,
+		    'NFQUEUE'         => STANDARD + NFQ + OPTIONS,
+		    'NFQUEUE!'        => STANDARD + NFQ,
+		    'QUEUE'           => STANDARD + OPTIONS,
+		    'QUEUE!'          => STANDARD,
+		    'REJECT'          => STANDARD + OPTIONS,
+		    'REJECT!'         => STANDARD + OPTIONS,
+		    'REDIRECT'        => NATRULE  + REDIRECT + OPTIONS,
+		    'REDIRECT-'       => NATRULE  + REDIRECT + NATONLY,
 		    'TARPIT'          => STANDARD + TARPIT + OPTIONS,
+		    'ULOG'            => STANDARD + LOGRULE + NFLOG + OPTIONS,
+		    'WHITELIST'       => STANDARD,
 		   );

 	for my $chain ( qw(OUTPUT PREROUTING) ) {
@@ -2945,8 +3007,6 @@ sub initialize_chain_table($) {
 		    'A_DROP!'         => STANDARD + AUDIT,
 		    'REJECT'          => STANDARD + OPTIONS,
 		    'REJECT!'         => STANDARD + OPTIONS,
-		    'A_REJECT'        => STANDARD + AUDIT,
-		    'A_REJECT!'       => STANDARD + AUDIT,
 		    'DNAT'            => NATRULE  + OPTIONS,
 		    'DNAT-'           => NATRULE  + NATONLY,
 		    'REDIRECT'        => NATRULE  + REDIRECT + OPTIONS,
@@ -3001,6 +3061,12 @@ sub initialize_chain_table($) {
 	    $chainref = new_nat_chain( $globals{POSTROUTING} = 'SHOREWALL' );
 	    set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
 	}
+
+	$mangle_table->{PREROUTING}{chainnumber}    = PREROUTING;
+	$mangle_table->{INPUT}{chainnumber}         = INPUT;
+	$mangle_table->{OUTPUT}{chainnumber}        = OUTPUT;
+	$mangle_table->{FORWARD}{chainnumber}       = FORWARD;
+	$mangle_table->{POSTROUTING}{chainnumber}   = POSTROUTING;
    }

    if ( my $docker = $config{DOCKER} ) {
@@ -4469,7 +4535,7 @@ sub clearrule() {
 sub state_match( $ ) {
    my $state = shift;

-    if ( $state eq 'ALL' ) {
+    if ( $state eq 'ALL' || $state eq '-' ) {
 	''
    } else {
 	have_capability( 'CONNTRACK_MATCH' ) ? ( "-m conntrack --ctstate $state " ) : ( "-m state --state $state " );
@@ -6287,7 +6353,7 @@ sub log_rule_limit( $$$$$$$$;$ ) {
    my ($level, $chainref, $chn, $dispo, $limit, $tag, $command, $matches, $origin ) = @_;

    my $prefix = '';
-    my $chain            = get_action_chain_name  || $chn;
+    my $chain            = get_action_chain_name  ||  $chn;
    my $disposition      = get_action_disposition || $dispo;
    my $original_matches = $matches;
    my $ruleref;
@@ -6387,7 +6453,7 @@ sub log_irule_limit( $$$$$$$$@ ) {

    my $prefix = '';
    my %matches;
-    my $chain       = get_action_chain_name  || $chn;
+    my $chain       = get_action_chain_name  ||  $chn;
    my $disposition = get_action_disposition || $dispo;
    my $original_matches = @matches;

@@ -6782,14 +6848,12 @@ sub get_interface_gateway ( $;$ ) {
    my $interface = get_physical $logical;
    my $variable = interface_gateway( $interface );

-    my $routine = $config{USE_DEFAULT_RT} ? 'detect_dynamic_gateway' : 'detect_gateway';
-
    $global_variables |= ALL_COMMANDS;

    if ( interface_is_optional $logical ) {
-	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$($routine $interface));
+	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface));
    } else {
-	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$($routine $interface)
+	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface)
 [ -n "\$$variable" ] || startup_error "Unable to detect the gateway through interface $interface");
    }

@@ -7493,7 +7557,7 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$$$$ ) {
 	log_irule_limit( $loglevel ,
 			 $echainref ,
 			 $chain ,
-			 $actparms{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
+			 $actparams{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
 			 [] ,
 			 $logtag ,
 			 'add' ,
@@ -7540,7 +7604,7 @@ sub expand_rule( $$$$$$$$$$$$;$ )

    my ( $iiface, $diface, $inets, $dnets, $iexcl, $dexcl, $onets , $oexcl, $trivialiexcl, $trivialdexcl ) = 
       ( '',      '',      '',     '',     '',     '',     '',      '',     '',            '' );
-    my  $chain = $actparms{chain} || $chainref->{name};
+    my  $chain = $actparams{chain} || $chainref->{name};
    my $table = $chainref->{table};
    my ( $jump, $mac,  $targetref, $basictarget );
    our @ends = ();
@@ -7702,7 +7766,10 @@ sub expand_rule( $$$$$$$$$$$$;$ )
 			# No logging or user-specified logging -- add the target rule with matches to the rule chain
 			#
 			if ( $targetref ) {
-			    add_expanded_jump( $chainref, $targetref , 0, $matches );
+			    add_expanded_jump( $chainref ,
+					       $targetref ,
+					       terminating( $targetref ) ,
+					       $prerule . $matches );
 			} else {
 			    add_rule( $chainref, $prerule . $matches . $jump , 1 );
 			}
@@ -7714,22 +7781,22 @@ sub expand_rule( $$$$$$$$$$$$;$ )
 				       $loglevel ,
 				       $chainref ,
 				       $chain,
-				       $actparms{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
+				       $actparams{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
 				       '' ,
 				       $logtag ,
 				       'add' ,
-				       $matches
+				       $prerule . $matches
 				      );
 		    } elsif ( $logname || $basictarget eq 'RETURN' ) {
 			log_rule_limit(
 				       $loglevel ,
 				       $chainref ,
 				       $logname || $chain,
-				       $actparms{disposition} || $disposition,
+				       $actparams{disposition} || $disposition,
 				       '',
 				       $logtag,
 				       'add',
-				       $matches );
+				       $prerule . $matches );

 			if ( $targetref ) {
 			    add_expanded_jump( $chainref, $targetref, 0, $matches );
@@ -7746,10 +7813,10 @@ sub expand_rule( $$$$$$$$$$$$;$ )
 						     $loglevel,
 						     $logtag,
 						     $exceptionrule,
-						     $actparms{disposition} || $disposition,
+						     $actparams{disposition} || $disposition,
 						     $target ),
 					   $terminating{$basictarget} || ( $targetref && $targetref->{complete} ),
-					   $matches );
+					   $prerule . $matches );
 		    }

 		    conditional_rule_end( $chainref ) if $cond3;
@@ -8126,6 +8193,15 @@ else
    rm -f \${VARDIR}/.dynamic
 fi
 EOF
+	if ( $config{MINIUPNPD} ) {
+	    emit << "EOF";
+if chain_exists 'MINIUPNPD-POSTROUTING -t nat'; then
+    $tool -t nat -S MINIUPNPD-POSTROUTING | tail -n +2 > \${VARDIR}/.MINIUPNPD-POSTROUTING
+else
+    rm -f \${VARDIR}/.MINIUPNPD-POSTROUTING
+fi
+EOF
+	}
    } else {
 	emit <<"EOF";
 if chain_exists 'UPnP -t nat'; then
@@ -8146,6 +8222,15 @@ else
    rm -f \${VARDIR}/.dynamic
 fi
 EOF
+	if ( $config{MINIUPNPD} ) {
+	    emit << "EOF";
+if chain_exists 'MINIUPNPD-POSTROUTING -t nat'; then
+    $utility -t nat | grep '^-A MINIUPNPD-POSTROUTING' > \${VARDIR}/.MINIUPNPD-POSTROUTING
+else
+    rm -f \${VARDIR}/.MINIUPNPD-POSTROUTING    
+fi
+EOF
+	}
    }

    pop_indent;
@@ -8164,14 +8249,22 @@ EOF
    emit( '' ), save_docker_rules( $tool ), emit( '' ) if $config{DOCKER};
 }

-sub ensure_ipset( $ ) {
-    my $set = shift;
+sub ensure_ipsets( @ ) {
+    my $set;
+
+    if ( @_ > 1 ) {
+	push_indent;
+	emit( "for set in @_; do" );
+	$set = '$set';
+    } else {
+	$set = $_[0];
+    }

    if ( $family == F_IPV4 ) {
 	if ( have_capability 'IPSET_V5' ) {
 	    emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
-		   qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:ip set") ,
-		   qq(        \$IPSET -N $set hash:ip family inet) ,
+		   qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
+		   qq(        \$IPSET -N $set hash:net family inet timeout 0 counters) ,
 		   qq(    fi) );
 	} else {
 	    emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
@@ -8181,10 +8274,15 @@ sub ensure_ipset( $ ) {
 	}
    } else {
 	emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
-	       qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:ip set") ,
-	       qq(        \$IPSET -N $set hash:ip family inet6) ,
+	       qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
+	       qq(        \$IPSET -N $set hash:net family inet6 timeout 0 counters) ,
 	       qq(    fi) );
    }
+
+    if ( @_ > 1 ) {
+	emit 'done';
+	pop_indent;
+    }
 }

 #
@@ -8193,22 +8291,26 @@ sub ensure_ipset( $ ) {
 sub create_save_ipsets() {
    my @ipsets = all_ipsets;

-    emit( "#\n#Save the ipsets specified by the SAVE_IPSETS setting and by dynamic zones\n#",
+    emit( "#\n#Save the ipsets specified by the SAVE_IPSETS setting and by dynamic zones and blacklisting\n#",
 	  'save_ipsets() {' );

    if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
 	emit( '    local file' ,
+	      '    local set' ,
 	      '',
 	      '    file=${1:-${VARDIR}/save.ipsets}'
 	    );

 	if ( @ipsets ) {
 	    emit '';
-	    ensure_ipset( $_ ) for @ipsets;
+	    ensure_ipsets( @ipsets );
 	}

 	if ( $config{SAVE_IPSETS} ) {
 	    if ( $family == F_IPV6 || $config{SAVE_IPSETS} eq 'ipv4' ) {
+		#
+		# Requires V5 or later
+		#
 		my $select = $family == F_IPV4 ? '^create.*family inet ' : 'create.*family inet6 ';

 		emit( '' ,
@@ -8217,11 +8319,6 @@ sub create_save_ipsets() {
 		      '    local set' ,
 		    );

-		if ( @ipsets ) {
-		    emit '';
-		    emit( "    \$IPSET -S $_ >> \$file" ) for @ipsets;
-		}
-
 		emit( '',
 		      "    for set in \$(\$IPSET save | grep '$select' | cut -d' ' -f2); do" ,
 		      "        \$IPSET save \$set >> \$file" ,
@@ -8229,6 +8326,9 @@ sub create_save_ipsets() {
 		      '',
 		    );
 	    } else {
+		#
+		# Saving all ipsets (IPv4 and IPv6, if any )
+		# 
 		emit ( 
 		       '',
 		       '    if eval $IPSET -S > ${VARDIR}/ipsets.tmp; then' ,
@@ -8237,28 +8337,48 @@ sub create_save_ipsets() {
 	    }

 	    emit( "    return 0",
-		  '',
 		  "}\n" );
 	} elsif ( @ipsets || $globals{SAVED_IPSETS} ) {
+	    #
+	    # Requires V5 or later
+	    #
+	    my %ipsets;
+	    #
+	    # Requires V
+	    #
+	    $ipsets{$_} = 1 for ( @ipsets, @{$globals{SAVED_IPSETS}} );
+
+	    my @sets = sort keys %ipsets;
+
 	    emit( '' ,
+		  '    rm -f $file' ,
+		  '    touch $file' ,
 		  '    rm -f ${VARDIR}/ipsets.tmp' ,
 		  '    touch ${VARDIR}/ipsets.tmp' ,
 		);

-	    if ( @ipsets ) {
-		emit '';
-		emit( "    \$IPSET -S $_ >> \${VARDIR}/ipsets.tmp" ) for @ipsets;
+	    if ( @sets > 1 ) {
+		emit( '' ,
+		      "    for set in @sets; do" , 
+		      '        if qt $IPSET list $set; then' ,
+		      '            $IPSET save $set >> ${VARDIR}/ipsets.tmp' ,
+		      '        else' ,
+		      '            error_message "ipset $set not saved (not found)"' ,
+		      '        fi' ,
+		      '    done' );
+	    } else {
+		my $set = $sets[0];
+
+		emit( '' ,
+		      "    if qt \$IPSET list $set; then" ,
+		      "        \$IPSET save $set >> \${VARDIR}/ipsets.tmp" ,
+		      '    else' ,
+		      "        error_message 'ipset $set not saved (not found)'" ,
+		      '    fi' );
 	    }

 	    emit( '' ,
-		  "    if qt \$IPSET list $_; then" ,
-		  "        \$IPSET save $_ >> \${VARDIR}/ipsets.tmp" ,
-		  '    else' ,
-		  "        error_message 'ipset $_ not saved (not found)'" ,
-		  "    fi\n" ) for @{$globals{SAVED_IPSETS}};
-
-	    emit( '' ,
-		  "    grep -qE -- \"(-N|^create )\" \${VARDIR}/ipsets.tmp && cat \${VARDIR}/ipsets.tmp >> \$file\n" ,
+		  "    grep -q -- \"^create \" \${VARDIR}/ipsets.tmp && mv -f \${VARDIR}/ipsets.tmp \$file\n" ,
 		  '' ,
 		  '    return 0',
 		  '' ,
@@ -8274,13 +8394,58 @@ sub create_save_ipsets() {
    }
 }

-sub load_ipsets() {
+sub create_load_ipsets() {

-    my @ipsets = all_ipsets;
+    my @ipsets = all_ipsets; #Dynamic Zone IPSETS

-    if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
-	emit ( '', );
-	emit ( '',
+    my $setting = $config{SAVE_IPSETS};
+
+    my $havesets =  @ipsets || @{$globals{SAVED_IPSETS}} || ( $setting && have_ipset_rules );
+
+    #
+    # Generate a function that flushes and destroys sets prior to restoring them
+    #
+    if ( $havesets ) {
+	my $select = $family == F_IPV4 ? '^create.*family inet ' : 'create.*family inet6 ';
+
+	emit ( "#\n#Flush and Destroy the sets that we will subsequently attempt to restore\n#",
+	       'zap_ipsets() {',
+	       '    local set',
+	       '' );
+
+	if ( $family == F_IPV6 || $setting !~ /yes/i ) {
+	    #
+	    # Requires V5 or later
+	    #
+	    emit( '' ,
+		  "    for set in \$(\$IPSET save | grep '$select' | cut -d' ' -f2); do" ,
+		  '        $IPSET flush $set' ,
+		  '        $IPSET destroy $set' ,
+		  "    done" ,
+		  '',
+		);
+	} else {
+	    #
+	    # Restoring all ipsets (IPv4 and IPv6, if any)
+	    #
+	    emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
+		   '        $IPSET -F' ,
+		   '        $IPSET -X' ,
+		   '    fi' );
+	};
+
+	emit( '}' );
+    }
+    #
+    # Now generate load_ipsets()
+    
+    emit ( "#\n#Flush and Destroy the sets then load fresh copy from a saved ipset file\n#",
+	   'load_ipsets() {' );
+
+    push_indent;
+
+    if ( $havesets ) {
+	emit(  '',
 	       'case $IPSET in',
 	       '    */*)',
 	       '        [ -x "$IPSET" ] || startup_error "IPSET=$IPSET does not exist or is not executable"',
@@ -8291,86 +8456,56 @@ sub load_ipsets() {
 	       '        ;;',
 	       'esac' ,
 	       '' ,
-	       'if [ "$COMMAND" = start ]; then' );
+	       'if [ "$COMMAND" = start ]; then' );         ##################### Start Command ##################

-	if ( $config{SAVE_IPSETS} ) {
-	    emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
-		   '        $IPSET -F' ,
-		   '        $IPSET -X' ,
-		   '        $IPSET -R < ${VARDIR}/ipsets.save' ,
-		   '    fi' );
-
-	    if ( @ipsets ) {
-		emit ( '' );
-		ensure_ipset( $_ ) for @ipsets;
-		emit ( '' );
-
-		emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
-		       '        $IPSET flush' ,
-		       '        $IPSET destroy' ,
-		       '        $IPSET restore < ${VARDIR}/ipsets.save' ,
-		       "    fi\n" ) for @{$globals{SAVED_IPSETS}};
-	    }
-	} else {
-	    ensure_ipset( $_ ) for @ipsets;
-
-	    if ( @{$globals{SAVED_IPSETS}} ) {
-		emit ( '' );
-
-		emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
-		       '        $IPSET flush' ,
-		       '        $IPSET destroy' ,
-		       '        $IPSET restore < ${VARDIR}/ipsets.save' ,
-		       "    fi\n" ) for @{$globals{SAVED_IPSETS}};
-	    }
+	if ( $config{SAVE_IPSETS} || @{$globals{SAVED_IPSETS}} ) {
+	    emit( '    if [ -f ${VARDIR}/ipsets.save ]; then',
+		  '        zap_ipsets',
+		  '        $IPSET -R < ${VARDIR}/ipsets.save',
+		  '    fi' );
 	}

-	emit ( 'elif [ "$COMMAND" = restore -a -z "$g_recovering" ]; then' );
+	if ( @ipsets ) {
+	    emit ( '' );
+	    ensure_ipsets( @ipsets );
+	}

-	if ( $config{SAVE_IPSETS} ) {
+	emit ( 'elif [ "$COMMAND" = restore -a -z "$g_recovering" ]; then' ); ### Restore Command #################
+
+	if ( $config{SAVE_IPSETS} || @{$globals{SAVED_IPSETS}} ) {
 	    emit( '    if [ -f $(my_pathname)-ipsets ]; then' ,
 		  '        if chain_exists shorewall; then' ,
 		  '            startup_error "Cannot restore $(my_pathname)-ipsets with Shorewall running"' ,
 		  '        else' ,
-		  '            $IPSET -F' ,
-		  '            $IPSET -X' ,
+		  '            zap_ipsets' ,
 		  '            $IPSET -R < $(my_pathname)-ipsets' ,
 		  '        fi' ,
 		  '    fi' ,
 		);
-
-	    if ( @ipsets ) {
-		emit ( '' );
-		ensure_ipset( $_ ) for @ipsets;
-		emit ( '' );
-	    }
-	} else {
-	    ensure_ipset( $_ ) for @ipsets;
-
-	    emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
-		   '        $IPSET flush' ,
-		   '        $IPSET destroy' ,
-		   '        $IPSET restore < ${VARDIR}/ipsets.save' ,
-		   "    fi\n" ) for @{$globals{SAVED_IPSETS}};
 	}

 	if ( @ipsets ) {
-	    emit ( 'elif [ "$COMMAND" = reload ]; then' );
-	    ensure_ipset( $_ ) for @ipsets;
-	}
+	    emit ( '' );
+	    ensure_ipsets( @ipsets );

-	emit( 'elif [ "$COMMAND" = stop ]; then' ,
-	      '   save_ipsets'
-	    );
+	    emit ( 'elif [ "$COMMAND" = reload ]; then' );   ################### Reload Command ####################
+	    ensure_ipsets( @ipsets );

-	if ( @ipsets ) {
-	    emit( 'elif [ "$COMMAND" = refresh ]; then' );
-	    ensure_ipset( $_ ) for @ipsets;
+	    emit( 'elif [ "$COMMAND" = refresh ]; then' );   ################### Refresh Command ###################
+	    emit ( '' );
+	    ensure_ipsets( @ipsets );
+	    emit ( '' );
 	};

 	emit ( 'fi' ,
 	       '' );
+    } else {
+	emit 'true';
    }
+
+    pop_indent;
+
+    emit '}';	    
 }

 #
@@ -8577,18 +8712,20 @@ sub preview_netfilter_load() {
 		assert( $chainref->{cmdlevel} == 0 , $name );
 		if ( $name =~ /^DOCKER/ ) {
 		    if ( $name eq 'DOCKER' ) {
-			enter_cmd_mode;
-			emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
-			enter_cat_mode;
+			enter_cmd_mode1;
+			print( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
+			print "\n";
 		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
-			enter_cmd_mode;
-			emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
-			enter_cat_mode;
+			enter_cmd_mode1 unless $mode == CMD_MODE;
+			print( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
+			print "\n";
+			enter_cat_mode1;
 		    } else {		    
-			emit_unindented ":$name - [0:0]";
+			enter_cmd_mode1 unless $mode == CMD_MODE;
+			print( ":$name - [0:0]\n" );
 		    }
 		} else {
-		    emit_unindented ":$name - [0:0]";
+		    print( ":$name - [0:0]\n" );
 		}

 		push @chains, $chainref;
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -95,7 +95,7 @@ sub generate_script_1( $ ) {
 	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";

 	    copy  $globals{SHAREDIRPL} . '/lib.core', 0;
-	    copy2 $globals{SHAREDIRPL} . '/lib.common', 0;
+	    copy2 $globals{SHAREDIRPL} . '/lib.common', $debug;
 	}

    }
@@ -368,6 +368,7 @@ sub generate_script_3($) {
    create_arptables_load( $test ) if $have_arptables;
    create_chainlist_reload( $_[0] );
    create_save_ipsets;
+    create_load_ipsets;

    emit "#\n# Start/Reload the Firewall\n#";

@@ -406,7 +407,9 @@ sub generate_script_3($) {
 	   'fi',
 	   '' );

-    load_ipsets;
+    emit( 'load_ipsets' ,
+	  '' );
+
    create_nfobjects;
    verify_address_variables;
    save_dynamic_chains;
@@ -573,16 +576,16 @@ date > ${VARDIR}/restarted

 case $COMMAND in
    start)
-        logger -p kern.info "$g_product started"
+        mylogger kern.info "$g_product started"
        ;;
-    reloaded)
-        logger -p kern.info "$g_product reloaded"
+    reload)
+        mylogger kern.info "$g_product reloaded"
        ;;
    refresh)
-        logger -p kern.info "$g_product refreshed"
+        mylogger kern.info "$g_product refreshed"
        ;;
    restore)
-        logger -p kern.info "$g_product restored"
+        mylogger kern.info "$g_product restored"
        ;;
 esac
 EOF
@@ -867,10 +870,6 @@ sub compiler {
    #
    complete_policy_chains;
    #
-    # Reject Action
-    #
-    process_reject_action if $config{REJECT_ACTION};
-    #
    # Accounting.
    #
    setup_accounting if $config{ACCOUNTING};
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -139,6 +139,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       push_action_params
 				       pop_action_params
 				       default_action_params
+                                       setup_audit_action
 				       read_a_line
 				       which
 				       qt
@@ -160,6 +161,8 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
                                       set_section_function
                                       clear_section_function
                                       directive_callback
+		                       add_ipset
+		                       all_ipsets

 				       $product
 				       $Product
@@ -185,7 +188,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       %helpers_enabled
 				       %helpers_aliases

-				       %actparms
+				       %actparams

                                       PARMSMODIFIED
                                       USEDCALLER
@@ -343,7 +346,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
                                 => 'Ipset Match nomatch',
 		 IPSET_MATCH_COUNTERS
                                 => 'Ipset Match counters',
-		 IPSET_V5        => 'Version 5 ipsets',
+		 IPSET_V5        => 'Version 5 or later ipset',
 		 CONNMARK        => 'CONNMARK Target',
 		 XCONNMARK       => 'Extended CONNMARK Target',
 		 CONNMARK_MATCH  => 'Connmark Match',
@@ -552,7 +555,7 @@ our %compiler_params;
 #
 # Action parameters
 #
-our %actparms;
+our %actparams;
 our $parmsmodified;
 our $usedcaller;
 our $inline_matches;
@@ -670,6 +673,14 @@ our %variables; # Symbol table for expanding shell variables

 our $section_function; #Function Reference for handling ?section

+our $evals = 0; # Number of times eval() called out of evaluate_expression() or embedded_perl().
+
+our %ipsets; # All required IPsets
+#
+# Files located via find_file()
+#
+our %filecache;
+
 sub process_shorewallrc($$);
 sub add_variables( \% );
 #
@@ -877,6 +888,7 @@ sub initialize( $;$$) {
 	  RESTART => undef ,
 	  DOCKER => undef ,
 	  PAGER => undef ,
+	  MINIUPNPD => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -1061,9 +1073,10 @@ sub initialize( $;$$) {

    %compiler_params = ();

-    %actparms = ( 0 => 0, loglevel => '', logtag => '', chain => '', disposition => '', caller => ''  );
+    %actparams = ( 0 => 0, loglevel => '', logtag => '', chain => '', disposition => '', caller => ''  );
    $parmsmodified = 0;
    $usedcaller    = 0;
+    %ipsets = ();

    %helpers_enabled = (
 			amanda       => 1,
@@ -1162,6 +1175,14 @@ sub initialize( $;$$) {

 my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );

+sub add_ipset( $ ) {
+    $ipsets{$_[0]} = 1;
+}
+
+sub all_ipsets() {
+    sort keys %ipsets;
+}
+
 #
 # Create 'currentlineinfo'
 #
@@ -1235,6 +1256,34 @@ sub shortlineinfo( $ ) {

 sub handle_first_entry();

+#
+# Issue a Information Message
+#
+sub info_message
+{
+    my $currentlineinfo = currentlineinfo;
+    our @localtime;
+
+    handle_first_entry if $first_entry;
+
+    $| = 1; #Reset output buffering (flush any partially filled buffers).
+
+    if ( $log ) {
+	@localtime = localtime;
+	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+    }
+
+    if ( $confess ) {
+	print STDERR longmess( "   INFO: @_$currentlineinfo" );
+	print $log   longmess( "   INFO: @_$currentlineinfo\n" ) if $log;
+    } else {
+	print STDERR "   INFO: @_$currentlineinfo\n";
+	print $log   "   INFO: @_$currentlineinfo\n" if $log;
+    }
+
+    $| = 0; #Re-allow output buffering
+}
+
 #
 # Issue a Warning Message
 #
@@ -1469,9 +1518,9 @@ sub hex_value( $ ) {
 # Strip off superfluous leading zeros from a hex number
 #
 sub normalize_hex( $ ) {
-    my $val = lc shift;
+    my $val = lc $_[0];

-    $val =~ s/^0// while $val =~ /^0/ && length $val > 1;
+    $val =~ s/^0+/0/;
    $val;
 }

@@ -1664,7 +1713,7 @@ sub progress_message {

 	    @localtime = localtime unless $havelocaltime;

-	    printf $log '%s %2d %2d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	    printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
 	    print $log "${leading}${line}\n";
 	}
    }
@@ -1683,7 +1732,7 @@ sub progress_message_nocompress {

 	@localtime = localtime unless $havelocaltime;

-	printf $log '%s %2d %2d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
 	print $log "@_\n";
    }
 }
@@ -1704,7 +1753,7 @@ sub progress_message2 {

 	@localtime = localtime unless $havelocaltime;

-	printf $log '%s %2d %2d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
 	print $log "@_\n";
    }
 }
@@ -1725,7 +1774,7 @@ sub progress_message3 {

 	@localtime = localtime unless $havelocaltime;

-	printf $log '%s %2d %2d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
 	print $log "@_\n";
    }
 }
@@ -1900,6 +1949,10 @@ sub find_file($)

    return $filename if $filename =~ '/';

+    my $file = $filecache{$filename};
+
+    return $file if $file;
+
    for my $directory ( @config_path ) {
 	my $file = "$directory$filename";
 	return $file if -f $file;
@@ -2150,6 +2203,12 @@ sub supplied( $ ) {
    defined $val && $val ne '';
 }

+sub passed( $ ) {
+    my $val = shift;
+
+    defined $val && $val ne '' && $val ne '-';
+}
+
 #
 # Pre-process a line from a configuration file.

@@ -2491,6 +2550,13 @@ sub directive_warning( $$$ ) {
    ( $currentfilename, $currentlinenumber ) = ( $savefilename, $savelineno );
 }

+sub directive_info( $$$ ) {
+    my ( $savefilename, $savelineno ) = ( $currentfilename, $currentlinenumber );
+    ( my $info, $currentfilename, $currentlinenumber ) = @_;
+    info_message $info;
+    ( $currentfilename, $currentlinenumber ) = ( $savefilename, $savelineno );
+}
+
 #
 # Add quotes to the passed value if the passed 'first part' has an odd number of quotes
 # Return an expression that concatenates $first, $val and $rest
@@ -2506,20 +2572,49 @@ sub join_parts( $$$ ) {
 }

 #
-# Evaluate an expression in an ?IF, ?ELSIF or ?SET directive
+# Declare passed() in Shorewall::User
 #
-sub evaluate_expression( $$$ ) {
-    my ( $expression , $filename , $linenumber ) = @_;
+sub declare_passed() {
+    my $result = ( eval q(package Shorewall::User;
+                          use strict;
+                          sub passed( $ ) {
+                              my $val = shift;
+                              defined $val && $val ne '' && $val ne '-';
+                          }
+
+                          1;) );
+    assert( $result, $@ );
+}
+
+#
+# Evaluate an expression in an ?IF, ?ELSIF, ?SET or ?ERROR directive
+#
+sub evaluate_expression( $$$$ ) {
+    my ( $expression , $filename , $linenumber, $just_expand ) = @_;
    my $val;
    my $count = 0;
-    my $chain = $actparms{chain};
+    my $chain = $actparams{chain};
+
+    #                     $1                   $2
+    if ( $expression =~ /^(!)?\s*passed\([\$@](\d+)\)$/ ) {
+	my $val = passed($actparams{$2});
+
+	return $1 ? ! $val : $val unless $debug;
+
+	$val = $1 ? ! $val : $val;
+
+	print "EXPR=> '$val'\n" if $debug;
+
+	return $val;
+    }
+
    #                         $1      $2   $3                     -     $4
    while ( $expression =~ m( ^(.*?) \$({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
 	my ( $first, $var, $rest ) = ( $1, $3, $4);

 	if ( $var =~ /^\d+$/ ) {
 	    fatal_error "Action parameters (\$$var) may only be referenced within the body of an action" unless $chain;
-	    $val = $var ? $actparms{$var} : $actparms{0}->{name};
+	    $val = $var ? $actparams{$var} : $actparams{0}->{name};
 	} else {
 	    $val = ( exists $variables{$var} ? $variables{$var} :
 		     exists $capdesc{$var}   ? have_capability( $var ) : '' );
@@ -2534,7 +2629,7 @@ sub evaluate_expression( $$$ ) {
 	while ( $expression =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
 	    $var = numeric_value( $var ) if $var =~ /^\d/;
-	    $val = $var ? $actparms{$var} : $chain;
+	    $val = $var ? $actparams{$var} : $chain;
 	    $usedcaller = USEDCALLER if $var eq 'caller';
 	    $expression = join_parts( $first, $val, $rest );
 	    directive_error( "Variable Expansion Loop" , $filename, $linenumber ) if ++$count > 100;
@@ -2565,13 +2660,19 @@ sub evaluate_expression( $$$ ) {

    print "EXPR=> $expression\n" if $debug;

-    if ( $expression =~ /^\d+$/ ) {
+    if ( $just_expand || $expression =~ /^\d+$/ ) {
 	$val = $expression
    } else {
 	#
 	# Not a simple one-term expression -- compile it
 	#
-	$val = eval qq(package Shorewall::User;\nuse strict;\n# line $linenumber "$filename"\n$expression);
+
+	declare_passed unless $evals++;
+
+	$val = eval qq(package Shorewall::User;
+                       use strict;
+                       # line $linenumber "$filename"
+                       $expression);

 	unless ( $val ) {
 	    directive_error( "Couldn't parse expression ($expression): $@" , $filename, $linenumber ) if $@;
@@ -2602,7 +2703,7 @@ sub process_compiler_directive( $$$$ ) {

    print "CD===> $line\n" if $debug;

-    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*)(.*)$/i;
+    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+)(.*)$/i;

    my ($keyword, $expression) = ( uc $1, $2 );

@@ -2620,7 +2721,7 @@ sub process_compiler_directive( $$$$ ) {
    my %directives =
 	( IF => sub() {
 	    directive_error( "Missing IF expression" , $filename, $linenumber ) unless supplied $expression;
-	    my $nextomitting = $omitting || ! evaluate_expression( $expression , $filename, $linenumber );
+	    my $nextomitting = $omitting || ! evaluate_expression( $expression , $filename, $linenumber , 0 );
 	    push @ifstack, [ 'IF', $omitting, ! $nextomitting, $linenumber ];
 	    $omitting = $nextomitting;
 	  } ,
@@ -2632,7 +2733,7 @@ sub process_compiler_directive( $$$$ ) {
 		  #
 		  # We can only change to including if we were previously omitting
 		  #
-		  $omitting = $prioromit || ! evaluate_expression( $expression , $filename, $linenumber );
+		  $omitting = $prioromit || ! evaluate_expression( $expression , $filename, $linenumber, 0 );
 		  $included = ! $omitting;
 	      } else {
 		  #
@@ -2668,15 +2769,17 @@ sub process_compiler_directive( $$$$ ) {
 		      $var = $2;
 		      $var = numeric_value( $var ) if $var =~ /^\d/;
 		      $var = $2 || 'chain';
-		      directive_error( "Shorewall variables may only be SET in the body of an action", $filename, $linenumber ) unless $actparms{0};
-		      my $val = $actparms{$var} = evaluate_expression ( $expression,
+		      directive_error( "Shorewall variables may only be SET in the body of an action", $filename, $linenumber ) unless $actparams{0};
+		      my $val = $actparams{$var} = evaluate_expression ( $expression,
 									$filename,
-									$linenumber );
+									$linenumber,
+									0  );
 		      $parmsmodified = PARMSMODIFIED;
 		  } else {
 		      $variables{$2} = evaluate_expression( $expression,
 							    $filename,
-							    $linenumber );
+							    $linenumber,
+							    0 );
 		  }
 	      }
 	  } ,
@@ -2700,12 +2803,12 @@ sub process_compiler_directive( $$$$ ) {
 		  if ( ( $1 || '' ) eq '@' ) {
 		      $var = numeric_value( $var ) if $var =~ /^\d/;
 		      $var = $2 || 'chain';
-		      directive_error( "Shorewall variables may only be RESET in the body of an action", $filename, $linenumber ) unless $actparms{0};
-		      if ( exists $actparms{$var} ) {
+		      directive_error( "Shorewall variables may only be RESET in the body of an action", $filename, $linenumber ) unless $actparams{0};
+		      if ( exists $actparams{$var} ) {
 			  if ( $var =~ /^loglevel|logtag|chain|disposition|caller$/ ) {
-			      $actparms{$var} = '';
+			      $actparams{$var} = '';
 			  } else {
-			      delete $actparms{$var}
+			      delete $actparams{$var}
 			  }
 		      } else {
 			  directive_warning( "Shorewall variable $2 does not exist", $filename, $linenumber );
@@ -2736,7 +2839,34 @@ sub process_compiler_directive( $$$$ ) {
 		      directive_error ( "?COMMENT is not allowed in this file", $filename, $linenumber );
 		  }
 	      }
-	  }
+	  } ,
+
+	  ERROR => sub() {
+	      directive_error( evaluate_expression( $expression ,
+						    $filename ,
+						    $linenumber ,
+						    1 ) ,
+			       $filename ,
+			       $linenumber ) unless $omitting;
+	  } ,
+
+	  WARNING => sub() {
+	      directive_warning( evaluate_expression( $expression ,
+						      $filename ,
+						      $linenumber ,
+						      1 ),
+				 $filename ,
+				 $linenumber ) unless $omitting;
+	  } ,
+
+	  INFO => sub() {
+	      directive_info( evaluate_expression( $expression ,
+						   $filename ,
+						   $linenumber ,
+						   1 ),
+			      $filename ,
+			      $linenumber ) unless $omitting;
+	  } ,

 	);

@@ -2793,6 +2923,11 @@ sub copy( $ ) {
 		print $script $_;
 		print $script "\n";
 		$lastlineblank = 0;
+
+		if ( $debug ) {
+		    s/\n/\nGS-----> /g;
+		    print "GS-----> $_\n";
+		}
 	    }
 	}

@@ -3120,7 +3255,7 @@ sub embedded_shell( $ ) {
 sub embedded_perl( $ ) {
    my $multiline = shift;

-    my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\nuse Shorewall::Config (qw/shorewall/);\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );
+    my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );

    $directive_callback->( 'PERL', $currentline ) if $directive_callback;

@@ -3147,6 +3282,8 @@ sub embedded_perl( $ ) {

    $embedded++;

+    declare_passed unless $evals++;
+
    unless (my $return = eval $command ) {
 	#
 	# Perl found the script offensive or the script itself died
@@ -3207,32 +3344,32 @@ sub push_action_params( $$$$$$ ) {
    my ( $action, $chainref, $parms, $loglevel, $logtag, $caller ) = @_;
    my @parms = ( undef , split_list3( $parms , 'parameter' ) );

-    $actparms{modified}   = $parmsmodified;
-    $actparms{usedcaller} = $usedcaller;
+    $actparams{modified}   = $parmsmodified;
+    $actparams{usedcaller} = $usedcaller;

-    my %oldparms = %actparms;
+    my %oldparms = %actparams;

    $parmsmodified = 0;
    $usedcaller    = 0;

-    %actparms = ();
+    %actparams = ();

    for ( my $i = 1; $i < @parms; $i++ ) {
 	my $val = $parms[$i];

-	$actparms{$i} = $val eq '-' ? '' : $val eq '--' ? '-' : $val;
+	$actparams{$i} = $val eq '-' ? '' : $val eq '--' ? '-' : $val;
    }

-    $actparms{0}           = $chainref;
-    $actparms{action}      = $action;
-    $actparms{loglevel}    = $loglevel;
-    $actparms{logtag}      = $logtag;
-    $actparms{caller}      = $caller;
-    $actparms{disposition} = '' if $chainref->{action};
+    $actparams{0}           = $chainref;
+    $actparams{action}      = $action;
+    $actparams{loglevel}    = $loglevel;
+    $actparams{logtag}      = $logtag;
+    $actparams{caller}      = $caller;
+    $actparams{disposition} = '' if $chainref->{action};
    #
-    # The Shorewall variable '@chain' has the non-word charaters removed
+    # The Shorewall variable '@chain' has non-word characters other than hyphen removed
    #
-    ( $actparms{chain} = $chainref->{name} ) =~ s/[^\w]//g;
+    ( $actparams{chain} = $chainref->{name} ) =~ s/[^\w-]//g;

    \%oldparms;
 }
@@ -3245,10 +3382,10 @@ sub push_action_params( $$$$$$ ) {
 #
 sub pop_action_params( $ ) {
    my $oldparms       = shift;
-    %actparms          = %$oldparms;
+    %actparams          = %$oldparms;
    my $return         = $parmsmodified | $usedcaller;
-    ( $parmsmodified ) = delete $actparms{modified}   || 0;
-    ( $usedcaller )    = delete $actparms{usedcaller} || 0;
+    ( $parmsmodified ) = delete $actparams{modified}   || 0;
+    ( $usedcaller )    = delete $actparams{usedcaller} || 0;
    $return;
 }

@@ -3258,11 +3395,11 @@ sub default_action_params {

    for ( $i = 1; 1; $i++ ) {
 	last unless defined ( $val = shift );
-	my $curval = $actparms{$i};
-	$actparms{$i} = $val unless supplied( $curval );
+	my $curval = $actparams{$i};
+	$actparams{$i} = $val unless supplied( $curval );
    }

-    fatal_error "Too Many arguments to action $action" if defined $actparms{$i};
+    fatal_error "Too Many arguments to action $action" if defined $actparams{$i};
 }

 sub get_action_params( $ ) {
@@ -3273,53 +3410,65 @@ sub get_action_params( $ ) {
    my @return;

    for ( my $i = 1; $i <= $num; $i++ ) {
-	my $val = $actparms{$i};
+	my $val = $actparams{$i};
 	push @return, defined $val ? $val eq '-' ? '' : $val eq '--' ? '-' : $val : $val;
    }

    @return;
 }

+sub setup_audit_action( $ ) {
+    my ( $action ) = @_;
+
+    my ( $target, $audit ) = get_action_params( 2 );
+
+    if ( supplied $audit ) {
+	fatal_error "Invalid parameter ($audit) to action $action" if $audit ne 'audit';
+	fatal_error "Only ACCEPT, DROP and REJECT may be audited" unless $target =~ /^(?:A_)?(?:ACCEPT|DROP|REJECT)\b/;
+	$actparams{1} = "A_$target" unless $target =~ /^A_/;
+    }
+}
+
 #
 # Returns the Level and Tag for the current action chain
 #
 sub get_action_logging() {
-    @actparms{ 'loglevel', 'logtag' };
+    @actparams{ 'loglevel', 'logtag' };
 }

 sub get_action_chain() {
-    $actparms{0};
+    $actparams{0};
 }

 sub get_action_chain_name() {
-    $actparms{chain};
+    $actparams{chain};
 }

 sub set_action_name_to_caller() {
-    $actparms{chain} = $actparms{caller};
+    $actparams{chain} = $actparams{caller};
 }

 sub get_action_disposition() {
-    $actparms{disposition};
+    $actparams{disposition};
 }

 sub set_action_disposition($) {
-    $actparms{disposition} = $_[0];
+    $actparams{disposition} = $_[0];
 }

 sub set_action_param( $$ ) {
    my $i = shift;

    fatal_error "Parameter numbers must be numeric" unless $i =~ /^\d+$/ && $i > 0;
-    $actparms{$i} = shift;
+    $actparams{$i} = shift;
 }

 #
-# Expand Shell Variables in the passed buffer using %actparms, %params, %shorewallrc1 and %config, 
+# Expand Shell Variables in the passed buffer using %actparams, %params, %shorewallrc1 and %config, 
 #
 sub expand_variables( \$ ) {
    my ( $lineref, $count ) = ( $_[0], 0 );
-    my $chain = $actparms{chain};
+    my $chain = $actparams{chain};
    #                         $1      $2   $3                   -     $4
    while ( $$lineref =~ m( ^(.*?) \$({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {

@@ -3333,16 +3482,16 @@ sub expand_variables( \$ ) {
 	    if ( $config{IGNOREUNKNOWNVARIABLES} ) {
 		fatal_error "Invalid action parameter (\$$var)" if ( length( $var ) > 1 && $var =~ /^0/ );
 	    } else {
-		fatal_error "Undefined parameter (\$$var)" unless ( defined $actparms{$var} &&
+		fatal_error "Undefined parameter (\$$var)" unless ( defined $actparams{$var} &&
 								    ( length( $var ) == 1 ||
 								      $var !~ /^0/ ) );
 	    }

-	    $val = $var ? $actparms{$var} : $actparms{0}->{name};
+	    $val = $var ? $actparams{$var} : $actparams{0}->{name};
 	} elsif ( exists $variables{$var} ) {
 	    $val = $variables{$var};
-	} elsif ( exists $actparms{$var} ) { 
-	    $val = $actparms{$var};
+	} elsif ( exists $actparams{$var} ) { 
+	    $val = $actparams{$var};
 	    $usedcaller = USEDCALLER if $var eq 'caller';
 	} else {
 	    fatal_error "Undefined shell variable (\$$var)" unless $config{IGNOREUNKNOWNVARIABLES} || exists $config{$var};
@@ -3361,7 +3510,7 @@ sub expand_variables( \$ ) {
 	#                         $1      $2   $3                     -     $4
 	while ( $$lineref =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
-	    my $val = $var ? $actparms{$var} : $actparms{chain};
+	    my $val = $var ? $actparams{$var} : $actparams{chain};
 	    $usedcaller = USEDCALLER if $var eq 'caller';
 	    $val = '' unless defined $val;
 	    $$lineref = join( '', $first , $val , $rest );
@@ -3421,17 +3570,17 @@ sub handle_first_entry() {
 sub read_a_line($) {
    my $options = $_[0];

+  LINE:
    while ( $currentfile ) {
-
 	$currentline = '';
 	$currentlinenumber = 0;

 	while ( <$currentfile> ) {
 	    chomp;
 	    #
-	    # Handle conditionals
+	    # Handle directives
 	    #
-	    if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT|COMMENT)/i ) {
+	    if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT|COMMENT|ERROR|WARNING|INFO)/i ) {
 		$omitting = process_compiler_directive( $omitting, $_, $currentfilename, $. );
 		next;
 	    }
@@ -3445,7 +3594,7 @@ sub read_a_line($) {
 	    #
 	    # Suppress leading whitespace in certain continuation lines
 	    #
-	    s/^\s*// if $currentline =~ /[,:]$/ && $options & CONFIG_CONTINUATION;
+	    s/^\s*// if $currentline && $options & CONFIG_CONTINUATION && $currentline =~ /[,:]$/;
 	    #
 	    # If this is a continued line with a trailing comment, remove comment. Note that
 	    # the result will now end in '\'.
@@ -3456,19 +3605,20 @@ sub read_a_line($) {
 	    #
 	    chop $currentline, next if ($currentline .= $_) =~ /\\$/;
 	    #
+	    # We now have a (possibly concatenated) line
 	    # Must check for shell/perl before doing variable expansion
 	    # 
 	    if ( $options & EMBEDDED_ENABLED ) {
-		if ( $currentline =~ s/^\s*\??(BEGIN\s+)SHELL\s*;?//i || $currentline =~ s/^\s*\?SHELL\s*//i || $currentline =~ s/^\s*SHELL\s+// ) {
-		    handle_first_entry if $first_entry;
-		    embedded_shell( $1 );
-		    next;
-		}
-
 		if ( $currentline =~ s/^\s*\??(BEGIN\s+)PERL\s*;?//i || $currentline =~ s/^\s*\??PERL\s*//i ) {
 		    handle_first_entry if $first_entry;
 		    embedded_perl( $1 );
-		    next;
+		    next LINE;
+		}
+
+		if ( $currentline =~ s/^\s*\??(BEGIN\s+)SHELL\s*;?//i || $currentline =~ s/^\s*\?SHELL\s*//i || $currentline =~ s/^\s*SHELL\s+// ) {
+		    handle_first_entry if $first_entry;
+		    embedded_shell( $1 );
+		    next LINE;
 		}
 	    }
 	    #
@@ -3480,7 +3630,7 @@ sub read_a_line($) {
 		#
 		# Ignore (concatinated) blank lines
 		#
-		$currentline = '', $currentlinenumber = 0, next if $currentline =~ /^\s*$/;
+		next LINE if $currentline =~ /^\s*$/;
 		#
 		# Eliminate trailing whitespace
 		#
@@ -3491,7 +3641,7 @@ sub read_a_line($) {
 	    #
 	    handle_first_entry if $first_entry;
 	    #
-	    # Expand Shell Variables using %params and %actparms
+	    # Expand Shell Variables using %params and %actparams
 	    #
 	    expand_variables( $currentline ) if $options & EXPAND_VARIABLES;

@@ -3511,18 +3661,16 @@ sub read_a_line($) {
 		    push_include;
 		    $currentfile = undef;
 		    do_open_file $filename;
-		} else {
-		    $currentlinenumber = 0;
 		}

-		$currentline = '';
-            } elsif ( ( $options & DO_SECTION ) && $currentline =~ /^\s*\?SECTION\s+(.*)/i ) {
-                my $sectionname = $1;
-                fatal_error "Invalid SECTION name ($sectionname)" unless $sectionname =~ /^[-_\da-zA-Z]+$/;
-                fatal_error "This file does not allow ?SECTION" unless $section_function;
-                $section_function->($sectionname);
-                $directive_callback->( 'SECTION', $currentline ) if $directive_callback;
-                $currentline = '';
+		next LINE;
+	    } elsif ( ( $options & DO_SECTION ) && $currentline =~ /^\s*\?SECTION\s+(.*)/i ) {
+		my $sectionname = $1;
+		fatal_error "Invalid SECTION name ($sectionname)" unless $sectionname =~ /^[-_\da-zA-Z]+$/;
+		fatal_error "This file does not allow ?SECTION" unless $section_function;
+		$section_function->($sectionname);
+		$directive_callback->( 'SECTION', $currentline ) if $directive_callback;
+		next LINE;
 	    } else {
 		fatal_error "Non-ASCII gunk in file" if ( $options && CHECK_GUNK ) && $currentline =~ /[^\s[:print:]]/;
 		print "IN===> $currentline\n" if $debug;
@@ -4812,8 +4960,16 @@ sub ensure_config_path() {

    @config_path = split /:/, $config{CONFIG_PATH};

+    #
+    # To accomodate Cygwin-based compilation, we have separate directories for files whose names
+    # clash on a case-insensitive filesystem.
+    #
+    push @config_path, $globals{SHAREDIR}    . "/deprecated";
+    push @config_path, $shorewallrc{SHAREDIR}. '/shorewall/deprecated' unless $globals{PRODUCT} eq 'shorewall';
+
    for ( @config_path ) {
 	$_ .= '/' unless m|/$|;
+        s|//|/|g;
    }

    if ( $shorewall_dir ) {
@@ -5329,7 +5485,7 @@ sub get_params( $ ) {
 		#
 		delete $params{$_};
 	    } else {
-		unless ( $_ eq 'SHOREWALL_INIT_SCRIPT' ) {
+		unless ( $_ eq 'SHOREWALL_INIT_SCRIPT' || $_ eq 'SW_LOGGERTAG' ) {
 		    fatal_error "The variable name $_ is reserved and may not be set in the params file"
 			if /^SW_/ || /^SHOREWALL_/ || ( exists $config{$_} && ! exists $ENV{$_} ) || exists $reserved{$_};
 		}
@@ -5769,16 +5925,21 @@ sub get_configuration( $$$$ ) {
    unsupported_yes_no         'BRIDGING';
    unsupported_yes_no_warning 'RFC1918_STRICT';

+    $val = $config{SAVE_IPSETS};
+
    unless (default_yes_no 'SAVE_IPSETS', '', '*' ) {
-	$val = $config{SAVE_IPSETS};
-	unless ( $val eq 'ipv4' ) {
+	if ( $val eq 'ipv4' ) {
+	    fatal_error 'SAVE_IPSETS=ipv4 is invalid in shorewall6.conf' if $family == F_IPV6;
+	} else {
 	    my @sets = split_list( $val , 'ipset' );
 	    $globals{SAVED_IPSETS} = \@sets;
-	    require_capability 'IPSET_V5', 'A saved ipset list', 's';
 	    $config{SAVE_IPSETS} = '';
 	}
+
+	require_capability( 'IPSET_V5', "SAVE_IPSETS=$val", 's' ) if $config{SAVE_IPSETS};
    }

+
    default_yes_no 'SAVE_ARPTABLES'             , '';
    default_yes_no 'STARTUP_ENABLED'            , 'Yes';
    default_yes_no 'DELAYBLACKLISTLOAD'         , '';
@@ -5861,7 +6022,7 @@ sub get_configuration( $$$$ ) {
    default_yes_no 'INLINE_MATCHES'             , '';
    default_yes_no 'BASIC_FILTERS'              , '';
    default_yes_no 'WORKAROUNDS'                , 'Yes';
-    default_yes_no 'DOCKER'                      , '';
+    default_yes_no 'DOCKER'                     , '';

    if ( $config{DOCKER} ) {
 	fatal_error "DOCKER=Yes is not allowed in Shorewall6" if $family == F_IPV6;
@@ -5909,7 +6070,33 @@ sub get_configuration( $$$$ ) {
 	$config{ACCOUNTING_TABLE} = 'filter';
    }

-    default_yes_no 'DYNAMIC_BLACKLIST'          , 'Yes';
+    if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) {
+	if ( $val =~ /^ipset/ ) {
+	    my ( $key, $set, $level, $tag, $rest ) = split( ':', $val , 5 );
+
+	    fatal_error "Invalid DYNAMIC_BLACKLIST setting ( $val )" if $key !~ /^ipset(?:-only)?(?:,src-dst)?$/ || defined $rest;
+
+	    if ( supplied( $set ) ) {
+		fatal_error "Invalid DYNAMIC_BLACKLIST ipset name" unless $set =~ /^[A-Za-z][\w-]*/;
+	    } else {
+		$set = 'SW_DBL' . $family;
+	    }
+
+	    add_ipset( $set );
+	    
+	    $level = validate_level( $level );
+
+	    $tag = '' unless defined $tag;
+
+	    $config{DYNAMIC_BLACKLIST} = join( ':', $key, $set, $level, $tag );
+
+	    require_capability( 'IPSET_V5', 'DYNAMIC_BLACKLIST=ipset...', 's' );
+
+	} else {
+	    default_yes_no( 'DYNAMIC_BLACKLIST'     , 'Yes' );
+	}
+    }
+
    default_yes_no 'REQUIRE_INTERFACE'          , '';
    default_yes_no 'FORWARD_CLEAR_MARK'         , have_capability( 'MARK' ) ? 'Yes' : '';
    default_yes_no 'COMPLETE'                   , '';
@@ -5921,6 +6108,7 @@ sub get_configuration( $$$$ ) {
    default_yes_no 'IGNOREUNKNOWNVARIABLES'     , 'Yes';
    default_yes_no 'WARNOLDCAPVERSION'          , 'Yes';
    default_yes_no 'DEFER_DNS_RESOLUTION'       , 'Yes';
+    default_yes_no 'MINIUPNPD'                  , '';

    $config{IPSET} = '' if supplied $config{IPSET} && $config{IPSET} eq 'ipset';

@@ -6025,7 +6213,7 @@ sub get_configuration( $$$$ ) {

    default_log_level 'SFILTER_LOG_LEVEL', 'info';

-    if ( $val = $config{SFILTER_DISPOSITION} ) {
+    if ( supplied( $val = $config{SFILTER_DISPOSITION} ) ) {
 	fatal_error "Invalid SFILTER_DISPOSITION setting ($val)" unless $val =~ /^(A_)?(DROP|REJECT)$/;
 	require_capability 'AUDIT_TARGET' , "SFILTER_DISPOSITION=$val", 's' if $1;
    } else {
@@ -6034,14 +6222,14 @@ sub get_configuration( $$$$ ) {

    default_log_level 'RPFILTER_LOG_LEVEL', 'info';

-    if ( $val = $config{RPFILTER_DISPOSITION} ) {
+    if ( supplied ( $val = $config{RPFILTER_DISPOSITION} ) ) {
 	fatal_error "Invalid RPFILTER_DISPOSITION setting ($val)" unless $val =~ /^(A_)?(DROP|REJECT)$/;
 	require_capability 'AUDIT_TARGET' , "RPFILTER_DISPOSITION=$val", 's' if $1;
    } else {
 	$config{RPFILTER_DISPOSITION} = 'DROP';
    }

-    if ( $val = $config{MACLIST_DISPOSITION} ) {
+    if ( supplied( $val = $config{MACLIST_DISPOSITION} ) ) {
 	if ( $val =~ /^(?:A_)?DROP$/ ) {
 	    $globals{MACLIST_TARGET} = $val;
 	} elsif ( $val eq 'REJECT' ) {
@@ -6060,7 +6248,7 @@ sub get_configuration( $$$$ ) {
 	$globals{MACLIST_TARGET}      = 'reject';
    }

-    if ( $val = $config{RELATED_DISPOSITION} ) {
+    if ( supplied( $val = $config{RELATED_DISPOSITION} ) ) {
 	if ( $val =~ /^(?:A_)?(?:DROP|ACCEPT)$/ ) {
 	    $globals{RELATED_TARGET} = $val;
 	} elsif ( $val eq 'REJECT' ) {
@@ -6079,7 +6267,7 @@ sub get_configuration( $$$$ ) {
 	$globals{RELATED_TARGET}      = 'ACCEPT';
    }

-    if ( $val = $config{INVALID_DISPOSITION} ) {
+    if ( supplied( $val = $config{INVALID_DISPOSITION} ) ) {
 	if ( $val =~ /^(?:A_)?DROP$/ ) {
 	    $globals{INVALID_TARGET} = $val;
 	} elsif ( $val eq 'REJECT' ) {
@@ -6098,7 +6286,7 @@ sub get_configuration( $$$$ ) {
 	$globals{INVALID_TARGET}      = '';
    }

-    if ( $val = $config{UNTRACKED_DISPOSITION} ) {
+    if ( supplied( $val = $config{UNTRACKED_DISPOSITION} ) ) {
 	if ( $val =~ /^(?:A_)?(?:DROP|ACCEPT)$/ ) {
 	    $globals{UNTRACKED_TARGET} = $val;
 	} elsif ( $val eq 'REJECT' ) {
@@ -6117,7 +6305,7 @@ sub get_configuration( $$$$ ) {
 	$globals{UNTRACKED_TARGET}        = '';
    }

-    if ( $val = $config{MACLIST_TABLE} ) {
+    if ( supplied( $val = $config{MACLIST_TABLE} ) ) {
 	if ( $val eq 'mangle' ) {
 	    fatal_error 'MACLIST_DISPOSITION=$1 is not allowed with MACLIST_TABLE=mangle' if $config{MACLIST_DISPOSITION} =~ /^((?:A)?REJECT)$/;
 	} else {
@@ -6127,7 +6315,7 @@ sub get_configuration( $$$$ ) {
 	default 'MACLIST_TABLE' , 'filter';
    }

-    if ( $val = $config{TCP_FLAGS_DISPOSITION} ) {
+    if ( supplied( $val = $config{TCP_FLAGS_DISPOSITION} ) ) {
 	fatal_error "Invalid value ($config{TCP_FLAGS_DISPOSITION}) for TCP_FLAGS_DISPOSITION" unless $val =~ /^(?:(A_)?(?:REJECT|DROP))|ACCEPT$/;
 	require_capability 'AUDIT_TARGET' , "TCP_FLAGS_DISPOSITION=$val", 's' if $1;
    } else {
@@ -6158,7 +6346,7 @@ sub get_configuration( $$$$ ) {
 	require_capability 'MANGLE_ENABLED', "TC_ENABLED=$config{TC_ENABLED}", 's';
    }

-    if ( $val = $config{TC_PRIOMAP} ) {
+    if ( supplied( $val = $config{TC_PRIOMAP} ) ) {
 	my @priomap = split ' ',$val;
 	fatal_error "Invalid TC_PRIOMAP ($val)" unless @priomap == 16;
 	for ( @priomap ) {
@@ -6177,12 +6365,13 @@ sub get_configuration( $$$$ ) {
    default 'QUEUE_DEFAULT'         , 'none';
    default 'NFQUEUE_DEFAULT'       , 'none';
    default 'ACCEPT_DEFAULT'        , 'none';
-    default 'OPTIMIZE'              , 0;

    for my $default ( qw/DROP_DEFAULT REJECT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT ACCEPT_DEFAULT/ ) {
 	$config{$default} = 'none' if "\L$config{$default}" eq 'none';
    }

+    default 'OPTIMIZE' , 0;
+
    if ( ( $val = $config{OPTIMIZE} ) =~ /^all$/i ) {
 	$config{OPTIMIZE} = $val = OPTIMIZE_ALL;
    } elsif ( $val =~ /^none$/i ) {
@@ -6419,7 +6608,7 @@ sub generate_aux_config() {

    emit "#\n# Shorewall auxiliary configuration file created by Shorewall version $globals{VERSION} - $date\n#";

-    for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT ARPTABLES IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE WORKAROUNDS RESTART) ) {
+    for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT ARPTABLES IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE WORKAROUNDS RESTART DYNAMIC_BLACKLIST) ) {
 	conditionally_add_option $option;
    }

@@ -6517,6 +6706,7 @@ sub report_used_capabilities() {
 }

 END {
+    print "eval() called $evals times\n" if $debug;
    cleanup;
 }

--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -89,6 +89,7 @@ sub setup_ecn()
 {
    my %interfaces;
    my @hosts;
+    my $interfaceref;

    if ( my $fn = open_file 'ecn' ) {

@@ -105,7 +106,13 @@ sub setup_ecn()
 						    2 );

 	    fatal_error 'INTERFACE must be specified' if $interface eq '-';
-	    fatal_error "Unknown interface ($interface)" unless known_interface $interface;
+	    fatal_error "Unknown interface ($interface)" unless $interfaceref = known_interface( $interface );
+
+	    if ( $interfaceref->{root} ) {
+		$interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
+	    } else {
+		$interface = $interfaceref->{name};
+	    }

 	    my $lineinfo = shortlineinfo( '' );

@@ -639,8 +646,10 @@ sub create_docker_rules() {
 	add_commands( $chainref, 'if [ -n "$g_docker" ]; then' );
 	incr_cmd_level( $chainref );
 	add_ijump( $chainref, j => 'DOCKER', o => 'docker0' );
+	add_ijump( $chainref, j => 'ACCEPT', o => 'docker0', state_imatch 'ESTABLISHED,RELATED' );
 	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => '! docker0' );
 	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => 'docker0' ) if $dockerref->{options}{routeback};
+	add_ijump( $filter_table->{OUTPUT}, j => 'DOCKER' );
 	decr_cmd_level( $chainref );
 	add_commands( $chainref, 'fi' );
    }
@@ -666,16 +675,88 @@ sub add_common_rules ( $ ) {
    my $level     = $config{BLACKLIST_LOG_LEVEL};
    my $tag       = $globals{BLACKLIST_LOG_TAG};
    my $rejectref = $filter_table->{reject};
+    my $dbl_type;
+    my $dbl_ipset;
+    my $dbl_level;
+    my $dbl_tag;
+    my $dbl_target;
+
+    if ( $config{REJECT_ACTION} ) {
+	process_reject_action;
+	fatal_eror( "The REJECT_ACTION ($config{REJECT_ACTION}) is not terminating" ) unless terminating( $rejectref );
+    } else {
+	if ( have_capability( 'ADDRTYPE' ) ) {
+	    add_ijump $rejectref , j => 'DROP' , addrtype => '--src-type BROADCAST';
+	} else {
+	    if ( $family == F_IPV4 ) {
+		add_commands $rejectref, 'for address in $ALL_BCASTS; do';
+	    } else {
+		add_commands $rejectref, 'for address in $ALL_ACASTS; do';
+	    }
+
+	    incr_cmd_level $rejectref;
+	    add_ijump $rejectref, j => 'DROP', d => '$address';
+	    decr_cmd_level $rejectref;
+	    add_commands $rejectref, 'done';
+	}
+
+	if ( $family == F_IPV4 ) {
+	    add_ijump $rejectref , j => 'DROP', s => '224.0.0.0/4';
+	} else {
+	    add_ijump $rejectref , j => 'DROP', s => IPv6_MULTICAST;
+	}
+
+	add_ijump $rejectref , j => 'DROP', p => 2;
+	add_ijump $rejectref , j => 'REJECT', targetopts => '--reject-with tcp-reset', p => 6;
+
+	if ( have_capability( 'ENHANCED_REJECT' ) ) {
+	    add_ijump $rejectref , j => 'REJECT', p => 17;
+
+	    if ( $family == F_IPV4 ) {
+		add_ijump $rejectref, j => 'REJECT --reject-with icmp-host-unreachable', p => 1;
+		add_ijump $rejectref, j => 'REJECT --reject-with icmp-host-prohibited';
+	    } else {
+		add_ijump $rejectref, j => 'REJECT --reject-with icmp6-addr-unreachable', p => 58;
+		add_ijump $rejectref, j => 'REJECT --reject-with icmp6-adm-prohibited';
+	    }
+	} else {
+	    add_ijump $rejectref , j => 'REJECT';
+	}
+    }
+
    #
    # Insure that Docker jumps are early in the builtin chains
    #
    create_docker_rules if $config{DOCKER};

-    if ( $config{DYNAMIC_BLACKLIST} ) {
-	add_rule_pair( set_optflags( new_standard_chain( 'logdrop' )  , DONT_OPTIMIZE | DONT_DELETE ), '' , 'DROP'   , $level , $tag);
-	add_rule_pair( set_optflags( new_standard_chain( 'logreject' ), DONT_OPTIMIZE | DONT_DELETE ), '' , 'reject' , $level , $tag);
-	$dynamicref =  set_optflags( new_standard_chain( 'dynamic' ) ,  DONT_OPTIMIZE );
-	add_commands( $dynamicref, '[ -f ${VARDIR}/.dynamic ] && cat ${VARDIR}/.dynamic >&3' );
+    if ( my $val = $config{DYNAMIC_BLACKLIST} ) {
+	( $dbl_type, $dbl_ipset, $dbl_level, $dbl_tag ) = split( ':', $val );
+
+	unless ( $dbl_type =~ /^ipset-only/ ) {
+	    add_rule_pair( set_optflags( new_standard_chain( 'logdrop' )  , DONT_OPTIMIZE | DONT_DELETE ), '' , 'DROP'   , $level , $tag);
+	    add_rule_pair( set_optflags( new_standard_chain( 'logreject' ), DONT_OPTIMIZE | DONT_DELETE ), '' , 'reject' , $level , $tag);
+	    $dynamicref =  set_optflags( new_standard_chain( 'dynamic' ) ,  DONT_OPTIMIZE );
+	    add_commands( $dynamicref, '[ -f ${VARDIR}/.dynamic ] && cat ${VARDIR}/.dynamic >&3' );
+	}
+
+	if ( $dbl_ipset ) {
+	    if ( $dbl_level ) {
+		my $chainref = set_optflags( new_standard_chain( $dbl_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
+
+		log_rule_limit( $dbl_level,
+				$chainref,
+				'dbl_log',
+				'DROP',
+				$globals{LOGLIMIT},
+				$dbl_tag,
+				'add',
+				'',
+				$origin{DYNAMIC_BLACKLIST} );
+		add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
+	    } else {
+		$dbl_target = 'DROP'; 
+	    }
+	}
    }

    setup_mss;
@@ -779,8 +860,13 @@ sub add_common_rules ( $ ) {
 		}
 	    }

+	    if ( $dbl_ipset && ! get_interface_option( $interface, 'nodbl' ) ) {
+		add_ijump_extended( $filter_table->{input_option_chain($interface)},  j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
+		add_ijump_extended( $filter_table->{output_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" ) if $dbl_type =~ /,src-dst$/;
+	    }
+	    
 	    for ( option_chains( $interface ) ) {
-		add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref;
+		add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref && ! get_interface_option( $interface, 'nodbl' );
 		add_ijump_extended( $filter_table->{$_}, j => 'ACCEPT',    $origin{FASTACCEPT},        state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT};
 	    }
 	}
@@ -939,46 +1025,6 @@ sub add_common_rules ( $ ) {
 	}
    }

-    unless ( $config{REJECT_ACTION} ) {
-	if ( have_capability( 'ADDRTYPE' ) ) {
-	    add_ijump $rejectref , j => 'DROP' , addrtype => '--src-type BROADCAST';
-	} else {
-	    if ( $family == F_IPV4 ) {
-		add_commands $rejectref, 'for address in $ALL_BCASTS; do';
-	    } else {
-		add_commands $rejectref, 'for address in $ALL_ACASTS; do';
-	    }
-
-	    incr_cmd_level $rejectref;
-	    add_ijump $rejectref, j => 'DROP', d => '$address';
-	    decr_cmd_level $rejectref;
-	    add_commands $rejectref, 'done';
-	}
-
-	if ( $family == F_IPV4 ) {
-	    add_ijump $rejectref , j => 'DROP', s => '224.0.0.0/4';
-	} else {
-	    add_ijump $rejectref , j => 'DROP', s => IPv6_MULTICAST;
-	}
-
-	add_ijump $rejectref , j => 'DROP', p => 2;
-	add_ijump $rejectref , j => 'REJECT', targetopts => '--reject-with tcp-reset', p => 6;
-
-	if ( have_capability( 'ENHANCED_REJECT' ) ) {
-	    add_ijump $rejectref , j => 'REJECT', p => 17;
-
-	    if ( $family == F_IPV4 ) {
-		add_ijump $rejectref, j => 'REJECT --reject-with icmp-host-unreachable', p => 1;
-		add_ijump $rejectref, j => 'REJECT --reject-with icmp-host-prohibited';
-	    } else {
-		add_ijump $rejectref, j => 'REJECT --reject-with icmp6-addr-unreachable', p => 58;
-		add_ijump $rejectref, j => 'REJECT --reject-with icmp6-adm-prohibited';
-	    }
-	} else {
-	    add_ijump $rejectref , j => 'REJECT';
-	}
-    }
-
    $list = find_interfaces_by_option 'dhcp';

    if ( @$list ) {
@@ -1094,10 +1140,18 @@ sub add_common_rules ( $ ) {

 	    add_commands( $chainref, '[ -s /${VARDIR}/.UPnP ] && cat ${VARDIR}/.UPnP >&3' );

+	    my $chainref1;
+
+	    if ( $config{MINIUPNPD} ) {
+		$chainref1 = set_optflags( new_nat_chain( 'MINIUPNPD-POSTROUTING' ), DONT_OPTIMIZE ); 
+		add_commands( $chainref, '[ -s /${VARDIR}/.MINIUPNPD-POSTROUTING ] && cat ${VARDIR}/.MINIUPNPD-POSTROUTING >&3' );
+	    }
+
 	    $announced = 1;

 	    for $interface ( @$list ) {
-		add_ijump_extended $nat_table->{PREROUTING} , j => 'UPnP', get_interface_origin($interface), imatch_source_dev ( $interface );
+		add_ijump_extended $nat_table->{PREROUTING} ,            j => 'UPnP',                   get_interface_origin($interface), imatch_source_dev ( $interface );
+		add_ijump_extended $nat_table->{$globals{POSTROUTING}} , j => 'MINIUPNPD-POSTROUTING' , $origin{MINIUPNPD}              , imatch_dest_dev   ( $interface ) if $chainref1;
 	    }
 	}

@@ -1785,12 +1839,14 @@ sub add_output_jumps( $$$$$$$$ ) {
    my $use_output        = 0;
    my @dest              = imatch_dest_net $net;
    my @ipsec_out_match   = match_ipsec_out $zone , $hostref;
+    my @zone_interfaces   = keys %{zone_interfaces( $zone )};

-    if ( @vservers || use_output_chain( $interface, $interfacechainref ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) ) {
+    if ( @vservers || use_output_chain( $interface, $interfacechainref ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) || @zone_interfaces > 1 ) {
 	#
 	# - There are vserver zones (so OUTPUT will have multiple source; or
 	# - We must use the interface output chain; or
 	# - There are rules in the interface chain and none in the rules chain
+	# - The zone has multiple interfaces
 	#
 	#   In any of these cases use the inteface output chain
 	#
@@ -1807,7 +1863,7 @@ sub add_output_jumps( $$$$$$$$ ) {
 		unless $output_jump_added{$interface}++;
 	} else {
 	    #
-	    # Not a bridge -- match the input interface
+	    # Not a bridge -- match the output interface
 	    #
 	    add_ijump_extended $filter_table->{OUTPUT}, j => $outputref, $origin, imatch_dest_dev( $interface ) unless $output_jump_added{$interface}++;
 	}
@@ -2417,16 +2473,16 @@ EOF
    emit <<'EOF';
            case $COMMAND in
 	        start)
-	            logger -p kern.err "ERROR:$g_product start failed"
+	            mylogger kern.err "ERROR:$g_product start failed"
 	            ;;
 	        reload)
-	            logger -p kern.err "ERROR:$g_product reload failed"
+	            mylogger kern.err "ERROR:$g_product reload failed"
 	            ;;
 	        refresh)
-	            logger -p kern.err "ERROR:$g_product refresh failed"
+	            mylogger kern.err "ERROR:$g_product refresh failed"
 	            ;;
                enable)
-                    logger -p kern.err "ERROR:$g_product 'enable $g_interface' failed"
+                    mylogger kern.err "ERROR:$g_product 'enable $g_interface' failed"
                    ;;
            esac

@@ -2635,7 +2691,7 @@ EOF
    emit '

    set_state "Stopped"
-    logger -p kern.info "$g_product Stopped"
+    mylogger kern.info "$g_product Stopped"

    case $COMMAND in
    stop|clear)
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -69,6 +69,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
    my $destnets = '';
    my $baserule = '';
    my $inlinematches = '';
+    my $prerule       = '';
    #
    # Leading '+'
    #
@@ -83,6 +84,13 @@ sub process_one_masq1( $$$$$$$$$$$ )
 	$inlinematches = get_inline_matches(0);
    }	
    #
+    # Handle early matches
+    #
+    if ( $inlinematches =~ s/s*\+// ) {
+	$prerule = $inlinematches;
+	$inlinematches = '';
+    }
+    #
    # Parse the remaining part of the INTERFACE column
    #
    if ( $family == F_IPV4 ) {
@@ -165,7 +173,9 @@ sub process_one_masq1( $$$$$$$$$$$ )

 	fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );

-	unless ( $interfaceref->{root} ) {
+	if ( $interfaceref->{root} ) {
+	    $interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
+	} else {
 	    $rule .= match_dest_dev( $interface );
 	    $interface = $interfaceref->{name};
 	}
@@ -336,7 +346,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
 	#
 	expand_rule( $chainref ,
 		     POSTROUTE_RESTRICT ,
-		     '' ,
+		     $prerule ,
 		     $baserule . $inlinematches . $rule ,
 		     $networks ,
 		     $destnets ,
@@ -449,7 +459,9 @@ sub do_one_nat( $$$$$ )

    fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );

-    unless ( $interfaceref->{root} ) {
+    if ( $interfaceref->{root} ) {
+	$interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
+    } else {
 	$rulein  = match_source_dev $interface;
 	$ruleout = match_dest_dev $interface;
 	$interface = $interfaceref->{name};
@@ -551,7 +563,9 @@ sub setup_netmap() {
 		    $net1 = validate_net $net1, 0;
 		    $net2 = validate_net $net2, 0;

-		    unless ( $interfaceref->{root} ) {
+		    if ( $interfaceref->{root} ) {
+			$interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
+		    } else {
 			@rulein  = imatch_source_dev( $interface );
 			@ruleout = imatch_dest_dev( $interface );
 			$interface = $interfaceref->{name};
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -392,7 +392,7 @@ sub start_provider( $$$$$ ) {
 }

 #
-# Look up a provider and return it's number. If unknown provider, 0 is returned
+# Look up a provider and return a reference to its table entry. If unknown provider, undef is returned
 #
 sub lookup_provider( $ ) {
    my $provider    = $_[0];
@@ -408,7 +408,7 @@ sub lookup_provider( $ ) {
 	}
    }

-    $providerref ? $providerref->{number} : 0;
+    $providerref;
 }

 #
@@ -666,7 +666,9 @@ sub process_a_provider( $ ) {
    if ( $duplicate ne '-' ) {
 	fatal_error "The DUPLICATE column must be empty when USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT};
 	my $p = lookup_provider( $duplicate );
-	warning_message "Unknown routing table ($duplicate)" unless $p && ( $p == MAIN_TABLE || $p < BALANCE_TABLE );
+	my $n = $p ? $p->{number} : 0;
+	warning_message "Unknown routing table ($duplicate)" unless $n && ( $n == MAIN_TABLE || $n < BALANCE_TABLE );
+	warning_message "An optional provider ($duplicate) is listed in the DUPLICATE column - enable and disable will not work correctly on that provider" if $p && $p->{optional};
    } elsif ( $copy ne '-' ) {
 	fatal_error "The COPY column must be empty when USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT};
 	fatal_error 'A non-empty COPY column requires that a routing table be specified in the DUPLICATE column' unless $copy eq 'none';
@@ -1094,7 +1096,7 @@ CEOF

    if ( $optional ) {
 	if ( $persistent ) {
-	    emit( "persistent_${what}_${table}\n" );
+	    emit( "do_persistent_${what}_${table}\n" );
 	}

 	if ( $shared ) {
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -82,6 +82,7 @@ our @EXPORT = ( qw( NOTHING
 		    find_interface
 		    known_interface
 		    get_physical
+		    get_logical
 		    physical_name
 		    have_bridges
 		    port_to_bridge
@@ -102,7 +103,6 @@ our @EXPORT = ( qw( NOTHING
 		    find_hosts_by_option
 		    find_zone_hosts_by_option
 		    find_zones_by_option
-		    all_ipsets
 		    have_ipsec
 		 ),
 	      );
@@ -209,8 +209,6 @@ our @interfaces;
 our %interfaces;
 our %roots;
 our @bport_zones;
-our %ipsets;
-our %physical;
 our %basemap;
 our %basemap1;
 our %mapbase;
@@ -326,8 +324,6 @@ sub initialize( $$ ) {
    %roots = ();
    %interfaces = ();
    @bport_zones = ();
-    %ipsets = ();
-    %physical = ();
    %basemap = ();
    %basemap1 = ();
    %mapbase = ();
@@ -349,6 +345,7 @@ sub initialize( $$ ) {
 				  logmartians => BINARY_IF_OPTION,
 				  loopback    => BINARY_IF_OPTION,
 				  nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
+				  nodbl       => SIMPLE_IF_OPTION,
 				  norfc1918   => OBSOLETE_IF_OPTION,
 				  nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  optional    => SIMPLE_IF_OPTION,
@@ -396,6 +393,7 @@ sub initialize( $$ ) {
 				    loopback    => BINARY_IF_OPTION,
 				    maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
+				    nodbl       => SIMPLE_IF_OPTION,
 				    nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    optional    => SIMPLE_IF_OPTION,
 				    optional    => SIMPLE_IF_OPTION,
@@ -1281,7 +1279,7 @@ sub process_interface( $$ ) {
 		    fatal_error q("nets=" may not be specified for a multi-zone interface) unless $zone;
 		    fatal_error "Duplicate $option option" if $netsref;
 		    if ( $value eq 'dynamic' ) {
-			require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
+			require_capability( 'IPSET_V5', 'Dynamic nets', '');
 			$hostoptions{dynamic} = 1;
 			#
 			# Defer remaining processing until we have the final physical interface name
@@ -1311,7 +1309,7 @@ sub process_interface( $$ ) {
 		    fatal_error "Invalid Physical interface name ($value)" unless $value && $value !~ /%/;
 		    fatal_error "Virtual interfaces ($value) are not supported" if $value =~ /:\d+$/;

-		    fatal_error "Duplicate physical interface name ($value)" if ( $physical{$value} && ! $port );
+		    fatal_error "Duplicate physical interface name ($value)" if ( $interfaces{$value} && ! $port );

 		    fatal_error "The type of 'physical' name ($value) doesn't match the type of interface name ($interface)" if $wildcard && ! $value =~ /\+$/;
 		    $physical = $value;
@@ -1345,7 +1343,7 @@ sub process_interface( $$ ) {
 	    my $ipset = $family == F_IPV4 ? "${zone}" : "6_${zone}";
 	    $ipset = join( '_', $ipset, var_base1( $physical ) ) unless $zoneref->{options}{in_out}{dynamic_shared};	    
 	    $netsref = [ "+$ipset" ];
-	    $ipsets{$ipset} = 1;
+	    add_ipset($ipset);
 	}

 	if ( $options{bridge} ) {
@@ -1385,21 +1383,23 @@ sub process_interface( $$ ) {
 	$options{tcpflags} = $hostoptionsref->{tcpflags} = 1 unless exists $options{tcpflags};
    }

-    $physical{$physical} = $interfaces{$interface} = { name       => $interface ,
-						       bridge     => $bridge ,
-						       filter     => $filterref ,
-						       nets       => 0 ,
-						       number     => $nextinum ,
-						       root       => $root ,
-						       broadcasts => $broadcasts ,
-						       options    => \%options ,
-						       zone       => '',
-						       physical   => $physical ,
-						       base       => var_base( $physical ),
-						       zones      => {},
-						       origin     => shortlineinfo( '' ),
-						       wildcard   => $wildcard,
-						     };
+    my $interfaceref = $interfaces{$interface} = { name       => $interface ,
+						   bridge     => $bridge ,
+						   filter     => $filterref ,
+						   nets       => 0 ,
+						   number     => $nextinum ,
+						   root       => $root ,
+						   broadcasts => $broadcasts ,
+						   options    => \%options ,
+						   zone       => '',
+						   physical   => $physical ,
+						   base       => var_base( $physical ),
+						   zones      => {},
+						   origin     => shortlineinfo( '' ),
+						   wildcard   => $wildcard,
+					         };
+
+    $interfaces{$physical} = $interfaceref if $physical ne $interface;

    if ( $zone ) {
 	fatal_error "Unmanaged interfaces may not be associated with a zone" if $options{unmanaged};
@@ -1570,20 +1570,23 @@ sub known_interface($)

 		my $physical = map_physical( $interface, $interfaceref );

-		return $interfaces{$interface} = { options  => $interfaceref->{options} ,
-						   bridge   => $interfaceref->{bridge} ,
-						   name     => $i ,
-						   number   => $interfaceref->{number} ,
-						   physical => $physical ,
-						   base     => var_base( $physical ) ,
-						   wildcard => $interfaceref->{wildcard} ,
-						   zones    => $interfaceref->{zones} ,
-						 };
+		$interfaceref =
+		    $interfaces{$interface} =
+		    $interfaces{$physical} = { options  => $interfaceref->{options} ,
+					       bridge   => $interfaceref->{bridge} ,
+					       name     => $i ,
+					       number   => $interfaceref->{number} ,
+					       physical => $physical ,
+					       base     => var_base( $physical ) ,
+					       wildcard => $interfaceref->{wildcard} ,
+					       zones    => $interfaceref->{zones} ,
+		                              };
+		return $interfaceref;
 	    }
 	}
    }

-    $physical{$interface} || 0;
+    0;
 }

 # 
@@ -1655,12 +1658,19 @@ sub find_interface( $ ) {
 }

 #
-# Returns the physical interface associated with the passed logical name
+# Returns the physical interface associated with the passed interface name
 #
 sub get_physical( $ ) {
    $interfaces{ $_[0] }->{physical};
 }

+#
+# Returns the logical interface associated with the passed interface name
+#
+sub get_logical( $ ) {
+    $interfaces{ $_[0] }->{name};
+}
+
 #
 # This one doesn't insist that the passed name be the name of a configured interface
 #
@@ -2040,6 +2050,7 @@ sub process_host( ) {
 	    $interface = $1;
 	    $hosts = $2;
 	    fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface}) && $interfaceref->{root};
+	    $interface = $interfaceref->{name};
 	} else {
 	    fatal_error "Invalid HOST(S) column contents: $hosts";
 	}
@@ -2053,7 +2064,7 @@ sub process_host( ) {

 	fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface}) && $interfaceref->{root};
 	fatal_error "Unmanaged interfaces may not be associated with a zone" if $interfaceref->{unmanaged};
-
+	$interface = $interfaceref->{name};
 	if ( $interfaceref->{physical} eq $loopback_interface ) {
 	    fatal_error "Only a loopback zone may be associated with the loopback interface ($loopback_interface)" if $type != LOOPBACK;
 	} else {
@@ -2141,7 +2152,7 @@ sub process_host( ) {

 	$hosts = "+$set";
 	$optionsref->{dynamic} = 1;
-	$ipsets{$set} = 1;
+	add_ipset($set);
    }

    #
@@ -2261,8 +2272,4 @@ sub find_zones_by_option( $$ ) {
    \@zns;
 }

-sub all_ipsets() {
-    sort keys %ipsets;
-}
-
 1;
--- a/Shorewall/Perl/lib.core
+++ b/Shorewall/Perl/lib.core
@@ -1110,7 +1110,7 @@ interface_is_usable() # $1 = interface
 #
 find_interface_addresses() # $1 = interface
 {
-    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
+    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer [0-9a-f:]*//'
 }

 #
@@ -1119,7 +1119,7 @@ find_interface_addresses() # $1 = interface

 find_interface_full_addresses() # $1 = interface
 {
-    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer.*//'
+    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer [0-9a-f:]*//'
 }

 #
--- a/Shorewall/README.txt
+++ b/Shorewall/README.txt
@@ -1 +0,0 @@
-This is the Shorewall 4.4 stable branch of Git.
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -192,6 +192,8 @@ MANGLE_ENABLED=Yes

 MAPOLDACTIONS=No

+MINIUPNPD=No
+
 MARK_IN_FORWARD_CHAIN=No

 MODULE_SUFFIX="ko ko.xz"
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -203,6 +203,8 @@ MANGLE_ENABLED=Yes

 MAPOLDACTIONS=No

+MINIUPNPD=No
+
 MARK_IN_FORWARD_CHAIN=No

 MODULE_SUFFIX="ko ko.xz"
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -200,6 +200,8 @@ MANGLE_ENABLED=Yes

 MAPOLDACTIONS=No

+MINIUPNPD=No
+
 MARK_IN_FORWARD_CHAIN=No

 MODULE_SUFFIX="ko ko.xz"
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -203,6 +203,8 @@ MANGLE_ENABLED=Yes

 MAPOLDACTIONS=No

+MINIUPNPD=No
+
 MARK_IN_FORWARD_CHAIN=No

 MODULE_SUFFIX="ko ko.xz"
--- a/Shorewall/action.A_Drop
+++ b/Shorewall/action.A_Drop
@@ -1,41 +1,39 @@
 #
-# Shorewall version 5 - Drop Action
+# Shorewall -- /usr/share/shorewall/action.A_Drop
 #
-# /usr/share/shorewall/action.A_Drop
+# The audited default DROP common rules
 #
-#	The audited default DROP common rules
+# This action is invoked before a DROP policy is enforced. The purpose
+# of the action is:
 #
-#	This action is invoked before a DROP policy is enforced. The purpose
-#	of the action is:
-#
-#	a) Avoid logging lots of useless cruft.
-#	b) Ensure that 'auth' requests are rejected, even if the policy is
-#	   DROP. Otherwise, you may experience problems establishing
-#	   connections with servers that use auth.
-#	c) Ensure that certain ICMP packets that are necessary for successful
-#	   internet operation are always ACCEPTed.
+# a) Avoid logging lots of useless cruft.
+# b) Ensure that certain ICMP packets that are necessary for successful
+#    internet operation are always ACCEPTed.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
-#TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
+#ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Count packets that come through here
 #
 COUNT
 #
-# Silently DROP 'auth'
+# Special Handling for Auth
 #
 Auth(A_DROP)
 #
+# ACCEPT critical ICMP types
+#
+# For IPv6 connectivity ipv6-icmp broadcasting is required so
+# AllowICMPs must be before broadcast Drop.
+#
+A_AllowICMPs	-	-	icmp
+#
 # Don't log broadcasts
 #
 dropBcast(audit)
 #
-# ACCEPT critical ICMP types
-#
-A_AllowICMPs	-	-	icmp
-#
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
 #
--- a/Shorewall/action.A_REJECT
+++ b/Shorewall/action.A_REJECT
@@ -0,0 +1,41 @@
+#
+# Shorewall -- /usr/share/shorewall/action.A_REJECTWITH
+#
+# A_REJECT Action.
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# A_REJECTWITH[([<option>])] where <option> is a valid REJECT option.#
+###############################################################################
+
+DEFAULTS -
+
+AUDIT(reject)
+
+?if passed @1
+    ?if @1 =~ /tcp-reset$/
+        ?set reject_proto 6
+    ?else
+        ?set reject_proto ''
+    ?endif
+REJECT(@1)	-	-	$reject_proto
+?else
+REJECT
+?endif
--- a/Shorewall/action.A_REJECT!
+++ b/Shorewall/action.A_REJECT!
@@ -0,0 +1,30 @@
+#
+# Shorewall -- /usr/share/shorewall/action.A_REJECT!
+#
+# A_REJECT! Action.
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# A_REJECTWITH[([<option>])] where <option> is a valid REJECT option.#
+###############################################################################
+
+DEFAULTS -
+
+A_REJECT(@1)
--- a/Shorewall/action.A_Reject.deprecated
+++ b/Shorewall/action.A_Reject.deprecated
@@ -1,34 +1,35 @@
 #
-# Shorewall version 5 - Reject Action
+# Shorewall -- /usr/share/shorewall/action.A_Reject
 #
-# /usr/share/shorewall/action.A_Reject
+# The audited default REJECT action common rules
 #
-#	The audited default REJECT action common rules
+# This action is invoked before a REJECT policy is enforced. The purpose
+# of the action is:
 #
-#	This action is invoked before a REJECT policy is enforced. The purpose
-#	of the action is:
-#
-#	a) Avoid logging lots of useless cruft.
-#	b) Ensure that certain ICMP packets that are necessary for successful
-#	   internet operation are always ACCEPTed.
+# a) Avoid logging lots of useless cruft.
+# b) Ensure that certain ICMP packets that are necessary for successful
+#    internet operation are always ACCEPTed.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
-#TARGET		SOURCE	DEST	PROTO
+#ACTION		SOURCE	DEST	PROTO
 #
 # Count packets that come through here
 #
 COUNT
 #
+# ACCEPT critical ICMP types
+#
+# For IPv6 connectivity ipv6-icmp broadcasting is required so
+# AllowICMPs must be before broadcast Drop.
+#
+A_AllowICMPs	-	-	icmp
+#
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
 dropBcast(audit)
 #
-# ACCEPT critical ICMP types
-#
-A_AllowICMPs	-	-	icmp
-#
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).
--- a/Shorewall/action.AutoBL
+++ b/Shorewall/action.AutoBL
@@ -1,22 +1,24 @@
 #
-# Shorewall version 5 - Auto Blacklist Action
+# Shorewall -- /usr/share/shorewall/action.AutoBL
+#
+# Auto Blacklist Action
 #
 # Parameters are:
 #
-#    Event          - Name of the event to associate with this blacklist
-#    Interval
-#    Count          - Interval and number of Packets to trigger blacklisting
-#                     Default is 60 seconds and 5 packets.
-#    Successive     - If a matching packet arrives within this many
-#                     seconds of the preceding one, it should be logged
-#                     and dealt with according to the Disposition and
-#                     Log Level parameters below. Default is 2 seconds.
-#    Blacklist time - Number of seconds to blacklist
-#                     Default is 300 (5 minutes)
-#    Disposition    - Disposition of blacklisted packets
-#                     Default is DROP
-#    Log Level      - Level to Log Rejects
-#                     Default is info (6)
+# Event          - Name of the event to associate with this blacklist
+#                  Interval
+# Count          - Interval and number of Packets to trigger blacklisting
+#                  Default is 60 seconds and 5 packets.
+# Successive     - If a matching packet arrives within this many
+#                  seconds of the preceding one, it should be logged
+#                  and dealt with according to the Disposition and
+#                  Log Level parameters below. Default is 2 seconds.
+# Blacklist time - Number of seconds to blacklist
+#                  Default is 300 (5 minutes)
+# Disposition    - Disposition of blacklisted packets
+#                  Default is DROP
+# Log Level      - Level to Log Rejects
+#                  Default is info (6)
 #
 ###############################################################################

@@ -37,7 +39,7 @@ validate_level( $level );
 1;
 ?end perl
 ###############################################################################
-#TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
+#ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Silently reject the client if blacklisted
 #
--- a/Shorewall/action.AutoBLL
+++ b/Shorewall/action.AutoBLL
@@ -1,13 +1,16 @@
 #
-# Shorewall version 5 - Auto Blacklisting Logger Action
+# Shorewall -- /usr/share/shorewall/action.AutoBLL
+#
+# Auto Blacklisting Logger Action
 #
 # Arguments are
 #
-#    Event:       Name of the blacklisted event
-#    Disposition: What to do with packets
-#    Level:       Log level and optional tag for logging.
+# Event       - Name of the blacklisted event
+# Disposition - What to do with packets
+# Level       - Log level and optional tag for logging
+#
 ###############################################################################
-#TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
+#ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Log the Reject
 #
--- a/Shorewall/action.Broadcast
+++ b/Shorewall/action.Broadcast
@@ -1,73 +1,59 @@
 #
-# Shorewall 4 - Broadcast Action
+# Shorewall -- /usr/share/shorewall/action.Broadcast
 #
-#    /usr/share/shorewall/action.Broadcast
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
-#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
+# Complete documentation is available at http://shorewall.net
 #
-#       Complete documentation is available at http://shorewall.net
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
 #
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
 #
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# Broadcast[([<action>|-[,{audit|-}])]
 #
-#   Broadcast[([<action>|-[,{audit|-}])]
+# Default action is DROP
 #
-#       Default action is DROP
-#
-##########################################################################################
+###############################################################################

 DEFAULTS DROP,-

+?if __ADDRTYPE
+@1	-	-	-	;; -m addrtype --dst-type BROADCAST
+@1	-	-	-	;; -m addrtype --dst-type MULTICAST
+@1	-	-	-	;; -m addrtype --dst-type ANYCAST
+?else
 ?begin perl;

 use Shorewall::IPAddrs;
 use Shorewall::Config;
 use Shorewall::Chains;

-my ( $action, $audit ) = get_action_params( 2 );
-
-fatal_error "Invalid parameter ($audit) to action Broadcast"   if supplied $audit && $audit ne 'audit';
-fatal_error "Invalid parameter ($action) to action Broadcast"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
-
+my ( $action )         = get_action_params( 1 );
 my $chainref           = get_action_chain;
-
 my ( $level, $tag )    = get_action_logging;
-my $target             = require_audit ( $action , $audit );

-if ( have_capability( 'ADDRTYPE' ) ) {
-    if ( $level ne '' ) {
-	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
-	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type MULTICAST ';
-	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type ANYCAST ';
-    }
+add_commands $chainref, 'for address in $ALL_BCASTS; do';
+incr_cmd_level $chainref;
+log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
+add_jump $chainref, $action, 0, "-d \$address ";
+decr_cmd_level $chainref;
+add_commands $chainref, 'done';

-    add_jump $chainref, $target, 0, '-m addrtype --dst-type BROADCAST ';
-    add_jump $chainref, $target, 0, '-m addrtype --dst-type MULTICAST ';
-    add_jump $chainref, $target, 0, '-m addrtype --dst-type ANYCAST ';
-} else {
-    add_commands $chainref, 'for address in $ALL_BCASTS; do';
-    incr_cmd_level $chainref;
-    log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
-    add_jump $chainref, $target, 0, "-d \$address ";
-    decr_cmd_level $chainref;
-    add_commands $chainref, 'done';
-
-    log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
-    add_jump $chainref, $target, 0, '-d 224.0.0.0/4 ';
-}
+log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
+add_jump $chainref, $action, 0, '-d 224.0.0.0/4 ';

 1;

 ?end perl;
+?endif
--- a/Shorewall/action.DNSAmp
+++ b/Shorewall/action.DNSAmp
@@ -1,33 +1,34 @@
 #
-# Shorewall 5 - DNS Amplification Action
+# Shorewall -- /usr/share/shorewall/action.DNSAmp
 #
-#    /usr/share/shorewall/action.DNSAmp
+#  DNS Amplification Action
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.net
 #
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
 #
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
 #
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   DNSAmp[([<action>])]
+# DNSAmp[([<action>])]
 #
-#       Default action is DROP
+# Default action is DROP
 #
-##########################################################################################
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT

 DEFAULTS DROP

-IPTABLES(@1)	-	-	udp	53	; -m u32 --u32 "0>>22&0x3C\@8&0xffff=0x0100 && 0>>22&0x3C\@12&0xffff0000=0x00010000"
+@1	-	-	udp	53	;; -m u32 --u32 "0>>22&0x3C\@8&0xffff=0x0100 && 0>>22&0x3C\@12&0xffff0000=0x00010000"
--- a/Shorewall/action.Drop
+++ b/Shorewall/action.Drop
@@ -1,59 +1,45 @@
 #
-# Shorewall version 5 - Drop Action
+# Shorewall -- /usr/share/shorewall/action.Drop
 #
-# /usr/share/shorewall/action.Drop
+# The default DROP common rules
 #
-#	The default DROP common rules
+# This action is invoked before a DROP policy is enforced. The purpose
+# of the action is:
 #
-#	This action is invoked before a DROP policy is enforced. The purpose
-#	of the action is:
+# a) Avoid logging lots of useless cruft.
+# b) Ensure that certain ICMP packets that are necessary for successful
+#    internet operation are always ACCEPTed.
 #
-#	a) Avoid logging lots of useless cruft.
-#	b) Ensure that certain ICMP packets that are necessary for successful
-#	   internet operation are always ACCEPTed.
+# The action accepts six optional parameters:
 #
-#  The action accepts five optional parameters:
-#
-#	1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
-#           actions.
-#       2 - Action to take with Auth requests. Default is to do nothing special
-#	    with them.
-#	3 - Action to take with SMB requests. Default is DROP or A_DROP,
-#           depending on the setting of the first parameter.
-#       4 - Action to take with required ICMP packets. Default is ACCEPT or
-#           A_ACCEPT depending on the first parameter.
-#       5 - Action to take with late UDP replies (UDP source port 53). Default
-#           is DROP or A_DROP depending on the first parameter.
+# 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
+#     actions.
+# 2 - Action to take with Auth requests. Default is to do nothing special
+#     with them.
+# 3 - Action to take with SMB requests. Default is DROP or A_DROP,
+#     depending on the setting of the first parameter.
+# 4 - Action to take with required ICMP packets. Default is ACCEPT or
+#     A_ACCEPT depending on the first parameter.
+# 5 - Action to take with late UDP replies (UDP source port 53). Default
+#     is DROP or A_DROP depending on the first parameter.
+# 6 - Action to take with UPnP packets. Default is DROP or A_DROP
+#     depending on the first parameter.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
-#
-# The following magic provides different defaults for @2 thru @5, when @1 is
-# 'audit'.
-#
-?begin perl;
-use Shorewall::Config;

-my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
+?if passed(@1)
+    ?if @1 eq 'audit'
+DEFAULTS -,-,A_DROP,A_ACCEPT,A_DROP,A_DROP
+    ?else
+        ?error The first parameter to Drop must be 'audit' or '-'
+    ?endif
+?else
+DEFAULTS -,-,DROP,ACCEPT,DROP,DROP
+?endif

-if ( defined $p1 ) {
-    if ( $p1 eq 'audit' ) {
-	set_action_param( 3, 'A_DROP')     unless supplied $p3;
-	set_action_param( 4, 'A_ACCEPT' )  unless supplied $p4;
-	set_action_param( 5, 'A_DROP' )    unless supplied $p5;
-    } else {
-	fatal_error "Invalid value ($p1) for first Drop parameter" if supplied $p1;
-    }
-}
-
-1;
-
-?end perl;
-
-DEFAULTS -,-,DROP,ACCEPT,DROP
-
-#TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
+#ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Count packets that come through here
 #
@@ -61,18 +47,21 @@ COUNT
 #
 # Special Handling for Auth
 #
-?if @2 ne '-'
+?if passed(@2)
 Auth(@2)
 ?endif
 #
+# ACCEPT critical ICMP types
+#
+# For IPv6 connectivity ipv6-icmp broadcasting is required so
+# AllowICMPs must be before silent broadcast Drop.
+#
+AllowICMPs(@4)	-	-	icmp
+#
 # Don't log broadcasts
 #
 Broadcast(DROP,@1)
 #
-# ACCEPT critical ICMP types
-#
-AllowICMPs(@4)	-	-	icmp
-#
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
 #
@@ -81,7 +70,7 @@ Invalid(DROP,@1)
 # Drop Microsoft noise so that it doesn't clutter up the log.
 #
 SMB(@3)
-DropUPnP(@5)
+DropUPnP(@6)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
--- a/Shorewall/action.DropSmurfs
+++ b/Shorewall/action.DropSmurfs
@@ -1,14 +1,14 @@
 #
-# Shorewall version 5 - Drop Smurfs Action
+# Shorewall -- /usr/share/shorewall/action.DropSmurfs
 #
-# /usr/share/shorewall/action.DropSmurfs
+# Drop Smurfs Action
 #
-#   Accepts a single optional parameter:
+# Accepts a single optional parameter:
 #
-#          -     = Do not Audit
-#          audit = Audit dropped packets.
+# -     = Do not Audit
+# audit = Audit dropped packets.
 #
-#################################################################################
+###############################################################################

 DEFAULTS -

@@ -79,8 +79,3 @@ if ( $family == F_IPV4 ) {
 }

 ?end perl;
-
-
-
-
-
--- a/Shorewall/action.Established
+++ b/Shorewall/action.Established
@@ -1,48 +1,35 @@
 #
-# Shorewall 5 - Established Action
+# Shorewall -- /usr/share/shorewall/action.Established
 #
-#    /usr/share/shorewall/action.Established
+# Established Action
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.net
 #
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
 #
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
 #
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   Established[([<action>])]
+# Established[([<action>])]
 #
-#       Default action is ACCEPT
+# Default action is ACCEPT
 #
-##########################################################################################
+###############################################################################

 DEFAULTS ACCEPT

-?begin perl;
-
-use Shorewall::IPAddrs;
-use Shorewall::Config;
-use Shorewall::Chains;
-use Shorewall::Rules;
-
-my ( $action ) = get_action_params( 1 );
-
-if ( my $check = check_state( 'ESTABLISHED' ) ) {
-    perl_action_helper( $action, $check == 1 ? state_match('ESTABLISHED') : '', 'ESTABLISHED' );
-}
-
-1;
-
-?end perl;
+#
+# All logic for this action is supplied by the 'state' option in actions.std
+#
--- a/Shorewall/action.GlusterFS
+++ b/Shorewall/action.GlusterFS
@@ -1,33 +1,25 @@
 #
-# Shorewall version 5 - GlusterFS Handler for GlusterFS 3.4 and Later
+# Shorewall -- /usr/share/shorewall/action.GlusterFS
 #
-# /etc/shorewall/action.GlusterFS
+# GlusterFS Handler for GlusterFS 3.4 and Later
 #
 # Parameters:
-#	Bricks:		Number of bricks
-#	IB:		0 or 1, indicating whether Infiniband is used or not
 #
-#########################################################################################
+# Bricks - Number of bricks
+# IB     - 0 or 1, indicating whether Infiniband is used or not
+#
+###############################################################################

 DEFAULTS 2,0

-?begin perl
+?if @1 !~ /^\d+/ || ! @1 || @1 > 1024
+    ?error Invalid value for Bricks (@1)
+?elsif @2 !~ /^[01]$/
+    ?error Invalid value for IB (@2)
+?endif

-use Shorewall::Config qw(:DEFAULT :internal);
-use Shorewall::Chains;
-use Shorewall::Rules;
-use strict;
+#ACTION		SOURCE		DEST		PROTO	DPORT

-my ( $bricks, $ib ) = get_action_params( 2 );
-
-fatal_error "Invalid value for Bricks ( $bricks )" unless $bricks =~ /^\d+$/ && $bricks > 1 && $bricks < 1024;
-fatal_error "Invalid value for IB ( $ib )" unless $ib =~ /^[01]$/;
-
-?end perl
-
-
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
-#							PORT	PORT(S)		DEST		LIMIT		GROUP
 ACCEPT		-		-		udp	111,2049
 ACCEPT		-		-		tcp	38465:38467

@@ -40,4 +32,3 @@ ACCEPT		-		-		tcp	24007
 ?set last_port 49150 + @{1}

 ACCEPT		-		-		tcp	49151:$last_port
-
--- a/Shorewall/action.IfEvent
+++ b/Shorewall/action.IfEvent
@@ -1,34 +1,38 @@
 #
-# Shorewall version 5 - Perform an Action based on a Event
+# Shorewall -- /usr/share/shorewall/action.IfEvent
 #
-# /etc/shorewall/action.IfEvent
+# Perform an Action based on a Event
 #
 # Parameters:
-#    Event:        Must start with a letter and be composed of letters, digits, '-', and '_'.
-#    Action:       Anything that can appear in the ACTION column of a rule.
-#    Duration:     Duration in seconds over which the event is to be tested.
-#    Hit Count:    Number of packets seen within the duration -- default is 1
-#    Src or Dest:  'src' (default) or 'dst'. Determines if the event is associated with the source
-#                  address (src) or destination address (dst)
-#    Command:      'check' (default) 'reset', or 'update'. If 'reset', the event will be reset before
-#                  the Action is taken. If 'update', the timestamp associated with the event will
-#                  be updated and the action taken if the time limit/hitcount are matched.
-#                  If '-', the action will be taken if the limit/hitcount are matched but the
-#                  event's timestamp will not be updated.
 #
-#                  If a duration is specified, then 'checkreap' and 'updatereap' may also
-#                  be used. These are like 'check' and 'update' respectively, but they also
-#                  remove any event entries for the IP address that are older than <duration>
-#                  seconds.
-#    Disposition:  Disposition for any event generated.
+# Event        - Must start with a letter and be composed of letters, digits,
+#                '-', and '_'.
+# Action       - Anything that can appear in the ACTION column of a rule.
+# Duration     - Duration in seconds over which the event is to be tested.
+# Hit Count    - Number of packets seen within the duration -- default is 1
+# Src or Dest  - 'src' (default) or 'dst'. Determines if the event is
+#                associated with the source address (src) or destination
+#                address (dst)
+# Command      - 'check' (default) 'reset', or 'update'. If 'reset',
+#                the event will be reset before the Action is taken.
+#                If 'update', the timestamp associated with the event will
+#                be updated and the action taken if the time limit/hitcount
+#                are matched.
+#                If '-', the action will be taken if the limit/hitcount are
+#                matched but the event's timestamp will not be updated.
+#
+#                If a duration is specified, then 'checkreap' and 'updatereap'
+#                may also be used. These are like 'check' and 'update'
+#                respectively, but they also remove any event entries for
+#                the IP address that are older than <duration> seconds.
+# Disposition  - Disposition for any event generated.
 #
 # For additional information, see http://www.shorewall.net/Events.html
 #
-#######################################################################################################
+###############################################################################
 #                                         DO NOT REMOVE THE FOLLOWING LINE
-#################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
-#							PORT	PORT(S)		DEST		LIMIT		GROUP
+###############################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT

 DEFAULTS -,ACCEPT,-,1,src,check,-

--- a/Shorewall/action.Invalid
+++ b/Shorewall/action.Invalid
@@ -1,53 +1,35 @@
 #
-# Shorewall 4 - Invalid Action
+# Shorewall -- /usr/share/shorewall/action.Invalid
 #
-#    /usr/share/shorewall/action.Invalid
+# Invalid Action
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
-#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
+# Complete documentation is available at http://shorewall.net
 #
-#       Complete documentation is available at http://shorewall.net
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
 #
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
 #
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# Invalid[([<action>])]
 #
-#   Invalid[([<action>])]
+# Default action is DROP
 #
-#       Default action is DROP
-#
-##########################################################################################
+###############################################################################

 DEFAULTS DROP,-

-?begin perl;
-
-use Shorewall::IPAddrs;
-use Shorewall::Config;
-use Shorewall::Chains;
-use Shorewall::Rules;
-
-my ( $action, $audit ) = get_action_params( 2 );
-
-if ( supplied $audit ) {
-     fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit';
-     $action = "A_$action";
-}
-
-if ( my $check = check_state( 'INVALID' ) ) {
-    perl_action_helper( $action, $check == 1 ? state_match( 'INVALID' ) : '' , 'INVALID' );
-}
-
-1;
-
-?end perl;
+#
+# All logic for this action is triggered by the 'audit' and 'state' options
+# in actions.std
+#
--- a/Shorewall/action.New
+++ b/Shorewall/action.New
@@ -1,48 +1,35 @@
 #
-# Shorewall 4 - New Action
+# Shorewall -- /usr/share/shorewall/action.New
 #
-#    /usr/share/shorewall/action.New
+# New Action
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.net
 #
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
 #
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
 #
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   Untracked[([<action>])]
+# New[([<action>])]
 #
-#       Default action is ACCEPT
+# Default action is ACCEPT
 #
-##########################################################################################
+###############################################################################

 DEFAULTS ACCEPT

-?begin perl;
-
-use Shorewall::IPAddrs;
-use Shorewall::Config;
-use Shorewall::Chains;
-use Shorewall::Rules;
-
-my ( $action ) = get_action_params( 1 );
-
-if ( my $check = check_state( 'NEW' ) ) {
-    perl_action_helper( $action, $check == 1 ? state_match( 'NEW' ) : '' , 'NEW' );
-}
-
-1;
-
-?end perl;
+#
+# All logic for this action is supplied by the 'state' option in actions.std
+#
--- a/Shorewall/action.NotSyn
+++ b/Shorewall/action.NotSyn
@@ -1,52 +1,33 @@
 #
-# Shorewall 4 - NotSyn Action
+# Shorewall -- /usr/share/shorewall/action.NotSyn
 #
-#    /usr/share/shorewall/action.NotSyn
+# NotSyn Action
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.net
 #
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
 #
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
 #
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   NotSyn[([<action>])]
+# NotSyn[([<action>])]
 #
-#       Default action is DROP
+# Default action is DROP
 #
-##########################################################################################
+###############################################################################

 DEFAULTS DROP,-

-?begin perl;
-
-use strict;
-use Shorewall::IPAddrs;
-use Shorewall::Config;
-use Shorewall::Chains;
-use Shorewall::Rules;
-
-my ( $action, $audit ) = get_action_params( 2 );
-
-if ( supplied $audit ) {
-     fatal_error "Invalid parameter ($audit) to action NotSyn" if $audit ne 'audit';
-     $action = "A_$action";
-}    
-
-perl_action_tcp_helper( $action, '-p 6 ! --syn' );
-
-1;
-
-?end perl;
+@1	 -	-	;;+  -p 6 ! --syn
--- a/Shorewall/action.RST
+++ b/Shorewall/action.RST
@@ -1,50 +1,33 @@
 #
-# Shorewall 4 - RST Action
+# Shorewall -- /usr/share/shorewall/action.RST
 #
-#    /usr/share/shorewall/action.RST
+# RST Action
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2012 - Tom Eastep (teastep@shorewall.net)
+# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.net
 #
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
 #
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
 #
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   RST[([<action>])]
+# RST[([<action>])]
 #
-#       Default action is DROP
+# Default action is DROP
 #
-##########################################################################################
+###############################################################################

 DEFAULTS DROP,-

-?begin perl;
-
-use Shorewall::Config;
-use Shorewall::Chains;
-use Shorewall::Rules;
-
-my ( $action, $audit ) = get_action_params( 2 );
-
-if ( supplied $audit ) {
-     fatal_error "Invalid parameter ($audit) to action RST" if $audit ne 'audit';
-     $action = "A_$action";
-}    
-
-perl_action_tcp_helper( $action, '-p 6 --tcp-flags RST RST' );
-
-1;
-
-?end perl;
+@1	 -	-	;;+ -p 6 --tcp-flags RST RST
--- a/Shorewall/action.Reject
+++ b/Shorewall/action.Reject
@@ -1,58 +1,44 @@
 #
-# Shorewall version 5 - Reject Action
+# Shorewall -- /usr/share/shorewall/action.Reject
 #
-# /usr/share/shorewall/action.Reject
+# The default REJECT action common rules
 #
-#	The default REJECT action common rules
+# This action is invoked before a REJECT policy is enforced. The purpose
+# of the action is:
 #
-#	This action is invoked before a REJECT policy is enforced. The purpose
-#	of the action is:
+# a) Avoid logging lots of useless cruft.
+# b) Ensure that certain ICMP packets that are necessary for successful
+#    internet operation are always ACCEPTed.
 #
-#	a) Avoid logging lots of useless cruft.
-#	b) Ensure that certain ICMP packets that are necessary for successful
-#	   internet operation are always ACCEPTed.
+# The action accepts six optional parameters:
 #
-#  The action accepts five optional parameters:
-#
-#	1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
-#           actions.
-#       2 - Action to take with Auth requests. Default is to do nothing
-#	    special with them.
-#	3 - Action to take with SMB requests. Default is REJECT or A_REJECT,
-#           depending on the setting of the first parameter.
-#       4 - Action to take with required ICMP packets. Default is ACCEPT or
-#           A_ACCEPT depending on the first parameter.
-#       5 - Action to take with late UDP replies (UDP source port 53). Default
-#           is DROP or A_DROP depending on the first parameter.
+# 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
+#     actions.
+# 2 - Action to take with Auth requests. Default is to do nothing
+#     special with them.
+# 3 - Action to take with SMB requests. Default is REJECT or A_REJECT,
+#     depending on the setting of the first parameter.
+# 4 - Action to take with required ICMP packets. Default is ACCEPT or
+#     A_ACCEPT depending on the first parameter.
+# 5 - Action to take with late UDP replies (UDP source port 53). Default
+#     is DROP or A_DROP depending on the first parameter.
+# 6 - Action to take with UPnP packets. Default is DROP or A_DROP
+#     depending on the first parameter.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
-#
-# The following magic provides different defaults for @2 thru @5, when @1 is
-# 'audit'.
-#
-?begin perl;
-use Shorewall::Config;

-my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
+?if passed(@1)
+    ?if @1 eq 'audit'
+DEFAULTS -,-,A_REJECT,A_ACCEPT,A_DROP,A_DROP
+    ?else
+	?error The first parameter to Reject must be 'audit' or '-'
+    ?endif
+?else
+DEFAULTS -,-,REJECT,ACCEPT,DROP,DROP
+?endif

-if ( defined $p1 ) {
-    if ( $p1 eq 'audit' ) {
-	set_action_param( 3, 'A_REJECT')  unless supplied $p3;
-	set_action_param( 4, 'A_ACCEPT' ) unless supplied $p4;
-	set_action_param( 5, 'A_DROP' )   unless supplied $p5;
-    } else {
-	fatal_error "Invalid value ($p1) for first Reject parameter" if supplied $p1;
-    }
-}
-
-1;
-
-?end perl;
-
-DEFAULTS -,-,REJECT,ACCEPT,DROP
-
-#TARGET		SOURCE	DEST	PROTO
+#ACTION		SOURCE	DEST	PROTO
 #
 # Count packets that come through here
 #
@@ -60,19 +46,22 @@ COUNT
 #
 # Special handling for Auth
 #
-?if @2 ne '-'
+?if passed(@2)
 Auth(@2)
 ?endif
 #
+# ACCEPT critical ICMP types
+#
+# For IPv6 connectivity ipv6-icmp broadcasting is required so
+# AllowICMPs must be before silent broadcast Drop.
+#
+AllowICMPs(@4)	-	-	icmp
+#
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
 Broadcast(DROP,@1)
 #
-# ACCEPT critical ICMP types
-#
-AllowICMPs(@4)	-	-	icmp
-#
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).
@@ -82,7 +71,7 @@ Invalid(DROP,@1)
 # Reject Microsoft noise so that it doesn't clutter up the log.
 #
 SMB(@3)
-DropUPnP(@5)
+DropUPnP(@6)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
--- a/Shorewall/action.Related
+++ b/Shorewall/action.Related
@@ -1,49 +1,35 @@
 #
-# Shorewall 4 - Related Action
+# Shorewall -- /usr/share/shorewall/action.Related
 #
-#    /usr/share/shorewall/action.Related
+# Related Action
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.net
 #
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
 #
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
 #
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   Related[([<action>])]
+# Related[([<action>])]
 #
-#       Default action is DROP
+# Default action is DROP
 #
-##########################################################################################
+###############################################################################

 DEFAULTS DROP

-?begin perl;
-
-use strict;
-use Shorewall::IPAddrs;
-use Shorewall::Config;
-use Shorewall::Chains;
-use Shorewall::Rules;
-
-my ( $action ) = get_action_params( 1 );
-
-if ( my $check = check_state( 'RELATED' ) ) {
-    perl_action_helper( $action, $check == 1 ? state_match( 'RELATED' ) : '', 'RELATED' );
-}
-
-1;
-
-?end perl;
+#
+# All logic for this action is supplied by the 'state' option in actions.std
+#
--- a/Shorewall/action.ResetEvent
+++ b/Shorewall/action.ResetEvent
@@ -1,22 +1,24 @@
 #
-# Shorewall version 5 - Reset an Event
+# Shorewall -- /etc/shorewall/action.ResetEvent
 #
-# /etc/shorewall/action.ResetEvent
+# Reset an Event
 #
 # Parameters:
-#    Event:       Must start with a letter and be composed of letters, digits, '-', and '_'.
-#    Action:      Action to perform after setting the event. Default is ACCEPT
-#    Src or Dest: 'src' (default) or 'dst'. Determines if the event is associated with the source
-#                 address (src) or destination address (dst)
-#    Disposition: Disposition for any rule generated.
+#
+# Event       - Must start with a letter and be composed of letters, digits,
+#               '-', and '_'.
+# Action      - Action to perform after setting the event. Default is ACCEPT
+# Src or Dest - 'src' (default) or 'dst'. Determines if the event is
+#               associated with the source address (src) or destination
+#               address (dst)
+# Disposition - Disposition for any rule generated.
 #
 # For additional information, see http://www.shorewall.net/Events.html
 #
-#######################################################################################################
-#                                         DO NOT REMOVE THE FOLLOWING LINE
-#################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
-#							PORT	PORT(S)		DEST		LIMIT		GROUP
+###############################################################################
+#                        DO NOT REMOVE THE FOLLOWING LINE
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER

 DEFAULTS -,ACCEPT,src,-

--- a/Shorewall/action.SetEvent
+++ b/Shorewall/action.SetEvent
@@ -1,22 +1,20 @@
 #
-# Shorewall version 5 - Set an Event
+# Shorewall -- /usr/share/shorewall/action.SetEvent
 #
-# /etc/shorewall/action.SetEvent
+# Set an Event
 #
 # Parameters:
-#    Event:       Must start with a letter and be composed of letters, digits, '-', and '_'.
-#    Action:      Action to perform after setting the event. Default is ACCEPT
-#    Src or Dest: 'src' (default) or 'dst'. Determines if the event is associated with the source
-#                 address (src) or destination address (dst)
-#    Disposition: Disposition for any event generated.
+#
+# Event       - Must start with a letter and be composed of letters, digits,
+#               '-', and '_'.
+# Action      - Action to perform after setting the event. Default is ACCEPT
+# Src or Dest - 'src' (default) or 'dst'. Determines if the event is
+#               associated with the source address (src) or destination
+#               address (dst)
+# Disposition - Disposition for any event generated.
 #
 # For additional information, see http://www.shorewall.net/Events.html
 #
-#######################################################################################################
-#                                         DO NOT REMOVE THE FOLLOWING LINE
-#################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
-#							PORT	PORT(S)		DEST		LIMIT		GROUP

 DEFAULTS -,ACCEPT,src

--- a/Shorewall/action.TCPFlags
+++ b/Shorewall/action.TCPFlags
@@ -1,41 +1,29 @@
 #
-# Shorewall version 5 - Drop TCPFlags Action
+# Shorewall -- /usr/share/shorewall/action.TCPFlags
 #
-# /usr/share/shorewall/action.TCPFlags
+# Drop TCPFlags Action
 #
-#   Accepts a single optional parameter:
+# Accepts a single optional parameter:
 #
-#          -     = Do not Audit
-#          audit = Audit dropped packets.
+# -     = Do not Audit
+# audit = Audit dropped packets.
 #
-#################################################################################
+###############################################################################

 DEFAULTS -

-?begin perl;
-use strict;
-use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
-use Shorewall::Chains;
-use Shorewall::Rules;
-
-my $action = 'DROP';
-
-my ( $audit ) = get_action_params( 1 );
-
-if ( supplied $audit ) {
-     fatal_error "Invalid parameter ($audit) to action TCPFlags" if $audit ne 'audit';
-     $action = "A_DROP";
-}    
-
-perl_action_tcp_helper( $action, '-p tcp --tcp-flags ALL FIN,URG,PSH' );
-perl_action_tcp_helper( $action, '-p tcp --tcp-flags ALL NONE' );
-perl_action_tcp_helper( $action, '-p tcp --tcp-flags SYN,RST SYN,RST' );
-perl_action_tcp_helper( $action, '-p tcp --tcp-flags SYN,FIN SYN,FIN' );
-perl_action_tcp_helper( $action, '-p tcp --syn --sport 0' );
-
-?end perl;
-
-
-
-
+?if passed(@1)
+    ?if @1 eq 'audit'
+        ?set tcpflags_action 'A_DROP'
+    ?else
+	?error The parameter to TCPFlags must be 'audit' or '-'
+    ?endif
+?else
+    ?set tcpflags_action 'DROP'
+?endif

+$tcpflags_action	-	-	;;+ -p 6 --tcp-flags ALL FIN,URG,PSH
+$tcpflags_action	-	-	;;+ -p 6 --tcp-flags ALL NONE
+$tcpflags_action	-	-	;;+ -p 6 --tcp-flags SYN,RST SYN,RST
+$tcpflags_action	-	-	;;+ -p 6 --tcp-flags SYN,FIN SYN,FIN
+$tcpflags_action	-	-	;;+ -p tcp --syn --sport 0
--- a/Shorewall/action.Untracked
+++ b/Shorewall/action.Untracked
@@ -1,47 +1,35 @@
 #
-# Shorewall 4 - Untracked Action
+# Shorewall --/usr/share/shorewall/action.Untracked
 #
-#    /usr/share/shorewall/action.Untracked
+# Untracked Action
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.net
 #
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
 #
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
 #
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   Untracked[([<action>])]
+# Untracked[([<action>])]
 #
-#       Default action is DROP
+# Default action is DROP
 #
-##########################################################################################
+###############################################################################
+
 DEFAULTS DROP

-?begin perl;
-
-use Shorewall::IPAddrs;
-use Shorewall::Config;
-use Shorewall::Chains;
-use Shorewall::Rules;
-
-my ( $action ) = get_action_params( 1 );
-
-if ( my $check = check_state( 'UNTRACKED' ) ) {
-    perl_action_helper( $action, $check == 1 ? state_match( 'UNTRACKED' ) : '' , 'UNTRACKED' );
-}
-
-1;
-
-?end perl;
+#
+# All logic for this action is supplied by the 'state' option in actions.std
+#
--- a/Shorewall/action.allowInvalid
+++ b/Shorewall/action.allowInvalid
@@ -1,52 +1,37 @@
-\#
-# Shorewall 4 - allowInvalid Action
 #
-#    /usr/share/shorewall/action.allowInvalid
+# Shorewall -- /usr/share/shorewall/action.allowInvalid
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.net
 #
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
 #
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
 #
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   allowInvalid[([audit])]
+#  allowInvalid[([audit])]
 #
-##########################################################################################
+###############################################################################

 DEFAULTS -

-?begin perl;
-
-use strict;
-use Shorewall::IPAddrs;
-use Shorewall::Config;
-use Shorewall::Chains;
-use Shorewall::Rules;
-
-my $action = 'ACCEPT';
-
-my ( $audit ) = get_action_params( 1 );
-
-if ( supplied $audit ) {
-     fatal_error "Invalid parameter ($audit) to action allowInvalid" if $audit ne 'audit';
-     $action = "A_ACCEPT";
-}    
-
-perl_action_helper( "Invalid($action)", '' );
-
-1;
-
-?end perl;
+?if passed(@1)
+    ?if @1 eq 'audit'
+Invalid(A_ACCEPT)
+    ?else
+        ?error The first parameter to allowInvalid must be 'audit' or '-'
+    ?endif
+?else
+Invalid(ACCEPT)
+?endif
--- a/Shorewall/action.dropInvalid
+++ b/Shorewall/action.dropInvalid
@@ -1,52 +1,39 @@
 #
-# Shorewall 5 - dropInvalid Action
+# Shorewall -- /usr/share/shorewall/action.dropInvalid
 #
-#    /usr/share/shorewall/action.dropInvalid
+# dropInvalid Action
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.net
 #
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
 #
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
 #
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   dropInvalid[([audit])]
+# dropInvalid[([audit])]
 #
-##########################################################################################
+###############################################################################

 DEFAULTS -

-?begin perl;
-
-use strict;
-use Shorewall::IPAddrs;
-use Shorewall::Config;
-use Shorewall::Chains;
-use Shorewall::Rules;
-
-my $action = 'DROP';
-
-my ( $audit ) = get_action_params( 1 );
-
-if ( supplied $audit ) {
-     fatal_error "Invalid parameter ($audit) to action dropInvalid" if $audit ne 'audit';
-     $action = "A_DROP";
-}    
-
-perl_action_helper( "Invalid($action)", '' );
-
-1;
-
-?end perl;
+?if passed(@1)
+    ?if @1 eq 'audit'
+Invalid(A_DROP)
+    ?else
+        ?error The first parameter to dropInvalid must be 'audit' or '-'
+    ?endif
+?else
+Invalid(DROP)
+?endif
--- a/Shorewall/action.mangletemplate
+++ b/Shorewall/action.mangletemplate
@@ -0,0 +1,22 @@
+#
+# Shorewall -- /etc/shorewall/action.mangletemplate
+#
+# Mangle Action Template
+#
+# This file is a template for files with names of the form
+# /etc/shorewall/action.<action-name> where <action> is an
+# ACTION defined with the mangle option in /etc/shorewall/actions.
+#
+# To define a new action:
+#
+# 1. Add the <action name> to /etc/shorewall/actions with the mangle option
+# 2. Copy this file to /etc/shorewall/action.<action name>
+# 3. Add the desired rules to that file.
+#
+# Please see http://shorewall.net/Actions.html for additional
+# information.
+#
+# Columns are the same as in /etc/shorewall/mangle.
+#
+####################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	PROBABILITY	DSCP
--- a/Shorewall/action.template
+++ b/Shorewall/action.template
@@ -1,20 +1,20 @@
 #
-# Shorewall version 5 - Action Template
+# Shorewall -- /usr/share/shorewall/action.template
 #
-# /etc/shorewall/action.template
+# Action Template
 #
-#	This file is a template for files with names of the form
-#	/etc/shorewall/action.<action-name> where <action> is an
-#	ACTION defined in /etc/shorewall/actions.
+# This file is a template for files with names of the form
+# /etc/shorewall/action.<action-name> where <action> is an
+# ACTION defined in /etc/shorewall/actions.
 #
-#	To define a new action:
+# To define a new action:
 #
-#	1. Add the <action name> to /etc/shorewall/actions
-#	2. Copy this file to /etc/shorewall/action.<action name>
-#	3. Add the desired rules to that file.
+# 1. Add the <action name> to /etc/shorewall/actions
+# 2. Copy this file to /etc/shorewall/action.<action name>
+# 3. Add the desired rules to that file.
 #
-#	Please see http://shorewall.net/Actions.html for additional
-#	information.
+# Please see http://shorewall.net/Actions.html for additional
+# information.
 #
 # Columns are the same as in /etc/shorewall/rules.
 #
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@@ -8,43 +8,45 @@
 #
 # Builtin Actions are:
 #
-#    A_ACCEPT           # Audits then accepts a connection request
-#    A_DROP             # Audits then drops a connection request
-#    A_REJECT		# Audits then drops a connection request
-#    allowBcast		# Silently Allow Broadcast/multicast
-#    dropBcast		# Silently Drop Broadcast/multicast
-#    dropNotSyn		# Silently Drop Non-syn TCP packets
-#    rejNotSyn		# Silently Reject Non-syn TCP packets
-#    allowoutUPnP	# Allow traffic from local command 'upnpd' (does not
-#                       # work with kernel 2.6.14 and later).
-#    allowinUPnP	# Allow UPnP inbound (to firewall) traffic
-#    forwardUPnP	# Allow traffic that upnpd has redirected from
-#			# 'upnp' interfaces.
-#    Limit              # Limit the rate of connections from each individual
-#                       # IP address
-#
+?if 0
+A_ACCEPT                        # Audits then accepts a connection request
+A_DROP                          # Audits then drops a connection request
+allowBcast		        # Silently Allow Broadcast/multicast
+dropBcast		        # Silently Drop Broadcast/multicast
+dropNotSyn		        # Silently Drop Non-syn TCP packets
+rejNotSyn		        # Silently Reject Non-syn TCP packets
+allowinUPnP	                # Allow UPnP inbound (to firewall) traffic
+forwardUPnP	                # Allow traffic that upnpd has redirected from 'upnp' interfaces.
+Limit                           # Limit the rate of connections from each individual IP address
+?endif
 ###############################################################################
 #ACTION
 A_Drop 		                # Audited Default Action for DROP policy
+A_REJECT     noinline,logjump   # Audits then rejects a connection request
+A_REJECT!    inline             # Audits then rejects a connection request
 A_Reject	                # Audited Default action for REJECT policy
 allowInvalid inline		# Accepts packets in the INVALID conntrack state
 AutoBL       noinline           # Auto-blacklist IPs that exceed thesholds
 AutoBLL      noinline           # Helper for AutoBL
-Broadcast    noinline           # Handles Broadcast/Multicast/Anycast
+Broadcast    noinline,audit     # Handles Broadcast/Multicast/Anycast
 DNSAmp                          # Matches one-question recursive DNS queries
 Drop		                # Default Action for DROP policy
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
 DropSmurfs   noinline           # Drop smurf packets
-Established  inline		# Handles packets in the ESTABLISHED state
+Established  inline,\		# Handles packets in the ESTABLISHED state
+	     state=ESTABLISHED  #
 GlusterFS    inline		# Handles GlusterFS
 IfEvent      noinline           # Perform an action based on an event
-Invalid      inline             # Handles packets in the INVALID conntrack state
-New	     inline             # Handles packets in the NEW conntrack state
-NotSyn       inline             # Handles TCP packets which do not have SYN=1 and ACK=0
+Invalid      inline,audit,\     # Handles packets in the INVALID conntrack state
+             state=INVALID      #
+New	     inline,state=NEW	# Handles packets in the NEW conntrack state
+NotSyn       inline,audit       # Handles TCP packets which do not have SYN=1 and ACK=0
 Reject                          # Default Action for REJECT policy
-Related      inline             # Handles packets in the RELATED conntrack state
+Related      inline,\		# Handles packets in the RELATED conntrack state
+             state=RELATED      #
 ResetEvent   inline		# Reset an Event
-RST	     inline             # Handle packets with RST set
+RST	     inline,audit       # Handle packets with RST set
 SetEvent     inline		# Initialize an event
 TCPFlags    			# Handle bad flag combinations.
-Untracked    inline             # Handles packets in the UNTRACKED conntrack state
+Untracked    inline,\           # Handles packets in the UNTRACKED conntrack state
+	     state=UNTRACKED    #
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -194,6 +194,8 @@ MAPOLDACTIONS=No

 MARK_IN_FORWARD_CHAIN=No

+MINIUPNPD=No
+
 MODULE_SUFFIX=ko

 MULTICAST=No
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -419,11 +419,13 @@ mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${PERLLIBDIR}/Shorewall
 mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
+mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT/deprecated
 mkdir -p ${DESTDIR}${VARDIR}

 chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
 chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT
 chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
+chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT/deprecated

 if [ -n "$DESTDIR" ]; then
    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
@@ -512,7 +514,7 @@ echo "Default config path file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/confi
 # Install the Standard Actions file
 #
 install_file actions.std ${DESTDIR}${SHAREDIR}/$PRODUCT/actions.std 0644
-echo "Standard actions file installed as ${DESTDIR}${SHAREDIR}d/$PRODUCT/actions.std"
+echo "Standard actions file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/actions.std"

 cd configfiles

@@ -1060,15 +1062,31 @@ fi
 # Install the Action files
 #
 for f in action.* ; do
-    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
-    echo "Action ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
+    case $f in
+	*.deprecated)
+	    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/deprecated/${f%.*} 0644
+	    echo "Action ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/deprecated/${f%.*}"
+	    ;;
+	*)
+	    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
+	    echo "Action ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
+	    ;;
+    esac
 done

 cd Macros

 for f in macro.* ; do
-    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
-    echo "Macro ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
+    case $f in
+	*.deprecated)
+	    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/deprecated/${f%.*} 0644
+	    echo "Macro ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/deprecated/${f%.*}"
+	    ;;
+	*)
+	    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
+	    echo "Macro ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
+	    ;;
+    esac
 done

 cd ..
@@ -1159,6 +1177,8 @@ fi
 # Install the Man Pages
 #

+if [ -n "$MANDIR" ]; then
+
 cd manpages

 [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/
@@ -1178,6 +1198,7 @@ done
 cd ..

 echo "Man Pages Installed"
+fi

 if [ -d ${DESTDIR}${CONFDIR}/logrotate.d ]; then
    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -333,6 +333,38 @@ get_config() {
 	g_pager="| $g_pager"
    fi

+    if [ -n "$DYNAMIC_BLACKLIST" ]; then
+	case $DYNAMIC_BLACKLIST in
+	    [Nn]o)
+		DYNAMIC_BLACKLIST='';
+		;;
+	    [Yy]es)
+	        ;;
+	    ipset|ipset::*|ipset-only|ipset-only::*|ipset,src-dst|ipset-only,src-dst::*)
+		g_blacklistipset=SW_DBL$g_family
+		;;
+	    ipset:[a-zA-Z]*)
+		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset:}
+		g_blacklistipset=${g_blacklistipset%%:*}
+		;;
+	    ipset,src-dst:[a-zA-Z]*)
+		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset,src-dst:}
+		g_blacklistipset=${g_blacklistipset%%:*}
+		;;
+	    ipset-only:[a-zA-Z]*)
+		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only:}
+		g_blacklistipset=${g_blacklistipset%%:*}
+		;;
+	    ipset-only,src-dst:[a-zA-Z]*)
+		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only,src-dst:}
+		g_blacklistipset=${g_blacklistipset%%:*}
+		;;
+	    *)
+		fatal_error "Invalid value ($DYNAMIC_BLACKLIST) for DYNAMIC_BLACKLIST"
+		;;
+	esac
+    fi
+
    lib=$(find_file lib.cli-user)

    [ -f $lib ] && . $lib
@@ -403,7 +435,7 @@ compiler() {
    get_config Yes

    case $COMMAND in
-	*start|try|refresh)
+	*start|try|refresh|reload|restart|safe-*)
 	    ;;
 	*)
 	    STARTUP_LOG=
@@ -470,11 +502,15 @@ compiler() {
 	    [ -n "$g_doing" ] && progress_message3 "$g_doing using $g_product $SHOREWALL_VERSION..."
 	    ;;
    esac
+    #
+    # Only use the pager if 'trace' or -r was specified and -d was not
+    #
+    [ "$g_debugging" != trace -a -z "$g_preview" ] || [ -n "$g_debug" ] && g_pager=

    if [ ${PERLLIBDIR} = ${LIBEXECDIR}/shorewall ]; then
-	$PERL $debugflags $pc $options $@
+	eval $PERL $debugflags $pc $options $@ $g_pager
    else
-	PERL5LIB=${PERLLIBDIR} $PERL $debugflags $pc $options $@
+	eval PERL5LIB=${PERLLIBDIR} $PERL $debugflags $pc $options $@ $g_pager
    fi

    status=$?
@@ -494,7 +530,6 @@ compiler() {
 start_command() {
    local finished
    finished=0
-    local object
    local rc
    rc=0

@@ -513,7 +548,7 @@ start_command() {
 		[ -n "$nolock" ] || mutex_off
 	    else
 		rc=$?
-		logger -p kern.err "ERROR:$g_product start failed"
+		mylogger kern.err "ERROR:$g_product start failed"
 	    fi
 	fi

@@ -604,7 +639,7 @@ start_command() {
    esac

    if [ -n "${g_fast}${AUTOMAKE}" ]; then
-	if ! uptodate ${VARDIR}/$object; then
+	if ! uptodate ${VARDIR}/firewall; then
 	    g_fast=
 	    AUTOMAKE=
 	fi
@@ -993,7 +1028,7 @@ restart_command() {
 	    [ -n "$nolock" ] || mutex_off
 	else
 	    rc=$?
-	    logger -p kern.err "ERROR:$g_product ${COMMAND} failed"
+	    mylogger kern.err "ERROR:$g_product ${COMMAND} failed"
 	fi
    else
 	[ -x ${VARDIR}/firewall ] || fatal_error "No ${VARDIR}/firewall file found"
--- a/Shorewall/manpages/shorewall-actions.xml
+++ b/Shorewall/manpages/shorewall-actions.xml
@@ -53,7 +53,19 @@

          <variablelist>
            <varlistentry>
-              <term>builtin</term>
+              <term><option>audit</option></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.7. When this option is specified,
+                the action is expected to have at least two parameters; the
+                first is a target and the second is either 'audit' or omitted.
+                If the second is 'audit', then the first must be an auditable
+                target (ACCEPT, DROP or REJECT).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><option>builtin</option></term>

              <listitem>
                <para>Added in Shorewall 4.5.16. Defines the action as a rule
@@ -86,7 +98,7 @@
            </varlistentry>

            <varlistentry>
-              <term>inline</term>
+              <term><option>inline</option></term>

              <listitem>
                <para>Causes the action body (defined in
@@ -102,10 +114,10 @@
                  way:</para>

                  <simplelist>
-                    <member>Broadcast</member>
-
                    <member>DropSmurfs</member>

+                    <member>IfEvent</member>
+
                    <member>Invalid (Prior to Shorewall 4.5.13)</member>

                    <member>NotSyn (Prior to Shorewall 4.5.13)</member>
@@ -119,7 +131,31 @@
            </varlistentry>

            <varlistentry>
-              <term>noinline</term>
+              <term><option>logjump</option></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.8. Performs the same function as
+                <option>nolog</option> (below), with the addition that the
+                jump to the actions chain is logged if a log level is
+                specified on the action invocation. For inline actions, this
+                option is identical to <option>nolog</option>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><option>mangle</option></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.7. Specifies that this action is
+                to be used in <ulink
+                url="shorewall-mangle.html">shorewall-mangle(5)</ulink> rather
+                than <ulink
+                url="shorewall-rules.html">shorewall-rules(5)</ulink>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><option>noinline</option></term>

              <listitem>
                <para>Causes any later <option>inline</option> option for the
@@ -128,7 +164,7 @@
            </varlistentry>

            <varlistentry>
-              <term>nolog</term>
+              <term><option>nolog</option></term>

              <listitem>
                <para>Added in Shorewall 4.5.11. When this option is
@@ -142,7 +178,16 @@
            </varlistentry>

            <varlistentry>
-              <term>terminating</term>
+              <term><option>state</option>={<option>UNTRACKED</option>|<option>NEW</option>|<option>ESTABLISHED</option>|<option>RELATED</option>|<option>INVALID</option>}</term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.7. Reserved for use by Shorewall
+                in <filename>actions.std</filename>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><option>terminating</option></term>

              <listitem>
                <para>Added in Shorewall 4.6.4. When used with
--- a/Shorewall/manpages/shorewall-interfaces.xml
+++ b/Shorewall/manpages/shorewall-interfaces.xml
@@ -488,6 +488,15 @@ loc     eth2            -</programlisting>
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis role="bold">nodbl</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.8. When specified, dynamic
+                blacklisting is disabled on the interface.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis role="bold">nosmurfs</emphasis></term>

--- a/Shorewall/manpages/shorewall-mangle.xml
+++ b/Shorewall/manpages/shorewall-mangle.xml
@@ -68,8 +68,9 @@
        <replaceable>command</replaceable>[(<replaceable>parameters</replaceable>)][:<replaceable>chain-designator</replaceable>]</term>

        <listitem>
-          <para>The chain-specifier indicates the Netfilter chain that the
-          entry applies to and may be one of the following:</para>
+          <para>The <replaceable>chain-designator </replaceable>indicates the
+          Netfilter chain that the entry applies to and may be one of the
+          following:</para>

          <variablelist>
            <varlistentry>
@@ -111,10 +112,14 @@
          url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, and
          FORWARD when MARK_IN_FORWARD_CHAIN=Yes.</para>

-          <para>A chain-designator may not be specified if the SOURCE or DEST
-          columns begin with '$FW'. When the SOURCE is $FW, the generated rule
-          is always placed in the OUTPUT chain. If DEST is '$FW', then the
-          rule is placed in the INPUT chain.</para>
+          <para>A <replaceable>chain-designator</replaceable> may not be
+          specified if the SOURCE or DEST columns begin with '$FW'. When the
+          SOURCE is $FW, the generated rule is always placed in the OUTPUT
+          chain. If DEST is '$FW', then the rule is placed in the INPUT chain.
+          Additionally, a <replaceable>chain-designator</replaceable> may not
+          be specified in an action body unless the action is declared as
+          <option>inline</option> in <ulink
+          url="shorewall6-actions.html">shorewall-actions</ulink>(5).</para>

          <para>Where a command takes parameters, those parameters are
          enclosed in parentheses ("(....)") and separated by commas.</para>
@@ -123,6 +128,21 @@
          following.</para>

          <variablelist>
+            <varlistentry>
+              <term><emphasis
+              role="bold"><replaceable>action</replaceable>[([<replaceable>param</replaceable>[,...])]</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.7.
+                <replaceable>action</replaceable> must be an action declared
+                with the <option>mangle</option> option in <ulink
+                url="manpages/shorewall-actions.html">shorewall-actions(5)</ulink>.
+                If the action accepts paramaters, they are specified as a
+                comma-separated list within parentheses following the
+                <replaceable>action</replaceable> name.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis
              role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
@@ -370,7 +390,7 @@ DIVERTHA        -               -               tcp</programlisting>
                <para>Allows you to place your own ip[6]tables matches at the
                end of the line following a semicolon (";"). If an
                <replaceable>action</replaceable> is specified, the compiler
-                procedes as if that <replaceable>action</replaceable> had been
+                proceeds as if that <replaceable>action</replaceable> had been
                specified in this column. If no action is specified, then you
                may include your own jump ("-j
                <replaceable>target</replaceable>
@@ -484,7 +504,7 @@ INLINE                eth0              -                 ; -p tcp -j MARK --set

                    <member>0xc0a80403 LAND 0xFF = 0x03</member>

-                    <member>0x03 LOR 0x0x10100 = 0x10103 or class ID
+                    <member>0x03 LOR 0x10100 = 0x10103 or class ID
                    1:103</member>
                  </simplelist>
                </blockquote>
@@ -720,33 +740,6 @@ Normal-Service       =&gt; 0x00</programlisting>
              </listitem>
            </varlistentry>
          </variablelist>
-
-          <orderedlist numeration="arabic">
-            <listitem>
-              <para><emphasis role="bold">TTL</emphasis>([<emphasis
-              role="bold">-</emphasis>|<emphasis
-              role="bold">+</emphasis>]<replaceable>number</replaceable>)</para>
-
-              <para>Added in Shorewall 4.4.24.</para>
-
-              <para>Prior to Shorewall 4.5.7.2, may be optionally followed by
-              <emphasis role="bold">:F</emphasis> but the resulting rule is
-              always added to the FORWARD chain. Beginning with Shorewall
-              4.5.7.s, it may be optionally followed by <emphasis
-              role="bold">:P</emphasis>, in which case the rule is added to
-              the PREROUTING chain.</para>
-
-              <para>If <emphasis role="bold">+</emphasis> is included, packets
-              matching the rule will have their TTL incremented by
-              <replaceable>number</replaceable>. Similarly, if <emphasis
-              role="bold">-</emphasis> is included, matching packets have
-              their TTL decremented by <replaceable>number</replaceable>. If
-              neither <emphasis role="bold">+</emphasis> nor <emphasis
-              role="bold">-</emphasis> is given, the TTL of matching packets
-              is set to <replaceable>number</replaceable>. The valid range of
-              values for <replaceable>number</replaceable> is 1-255.</para>
-            </listitem>
-          </orderedlist>
        </listitem>
      </varlistentry>

--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -328,6 +328,18 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis
+              role="bold">CONMARK({<replaceable>mark</replaceable>})</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.7, CONNMARK is identical to MARK
+                with the exception that the mark is assigned to connection to
+                which the packet belongs is marked rather than to the packet
+                itself.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis role="bold">CONTINUE</emphasis></term>

@@ -546,6 +558,35 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis
+              role="bold">MARK({<replaceable>mark</replaceable>})</emphasis></term>
+
+              <listitem>
+                <para>where <replaceable>mark</replaceable> is a packet mark
+                value.</para>
+
+                <para>Added in Shorewall 5.0.7, MARK requires "Mark in filter
+                table" support in your kernel and iptables.</para>
+
+                <para>Normally will set the mark value of the current packet.
+                If preceded by a vertical bar ("|"), the mark value will be
+                logically ORed with the current mark value to produce a new
+                mark value. If preceded by an ampersand ("&amp;"), will be
+                logically ANDed with the current mark value to produce a new
+                mark value.</para>
+
+                <para>Both "|" and "&amp;" require Extended MARK Target
+                support in your kernel and iptables.</para>
+
+                <para>The mark value may be optionally followed by "/" and a
+                mask value (used to determine those bits of the connection
+                mark to actually be set). When a mask is specified, the result
+                of logically ANDing the mark value with the mask must be the
+                same as the mark value.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis
              role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>
@@ -631,11 +672,37 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">REJECT</emphasis></term>
+              <term><emphasis
+              role="bold">REJECT[(<replaceable>option</replaceable>)]</emphasis></term>

              <listitem>
                <para>disallow the request and return an icmp-unreachable or
-                an RST packet.</para>
+                an RST packet. If no option is passed, Shorewall selects the
+                appropriate option based on the protocol of the packet.</para>
+
+                <para>Beginning with Shorewall 5.0.8, the type of reject may
+                be specified in the <replaceable>option</replaceable>
+                paramater. Valid <replaceable>option</replaceable> values
+                are:</para>
+
+                <simplelist>
+                  <member><option>icmp-net-unreachable</option></member>
+
+                  <member><option>icmp-host-unreachable</option></member>
+
+                  <member><option>i</option><option>cmp-port-unreachable</option></member>
+
+                  <member><option>icmp-proto-unreachable</option></member>
+
+                  <member><option>icmp-net-prohibited</option></member>
+
+                  <member><option>icmp-host-prohibited</option></member>
+
+                  <member><option>icmp-admin-prohibited</option></member>
+
+                  <member><option>icmp-tcp-reset</option> (the PROTO column
+                  must specify TCP)</member>
+                </simplelist>
              </listitem>
            </varlistentry>

@@ -1400,7 +1467,7 @@
          <para>When <option>s:</option> or <option>d:</option> is specified,
          the rate applies per source IP address or per destination IP address
          respectively. The <replaceable>name</replaceable>s may be chosen by
-          the user and specifiy a hash table to be used to count matching
+          the user and specify a hash table to be used to count matching
          connections. If not given, the name <emphasis
          role="bold">shorewallN</emphasis> (where N is a unique integer) is
          assumed. Where more than one rule or POLICY specifies the same name,
--- a/Shorewall/manpages/shorewall-tcclasses.xml
+++ b/Shorewall/manpages/shorewall-tcclasses.xml
@@ -156,20 +156,23 @@

      <varlistentry>
        <term><emphasis role="bold">MARK</emphasis> -
-        {-|<emphasis>value</emphasis>}</term>
+        {-|<replaceable>value</replaceable>[:<replaceable>priority</replaceable>]}</term>

        <listitem>
          <para>The mark <emphasis>value</emphasis> which is an integer in the
          range 1-255. You set mark values in the <ulink
          url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink>(5)
          file, marking the traffic you want to fit in the classes defined in
-          here. Must be specified as '-' if the <emphasis
-          role="bold">classify</emphasis> option is given for the interface in
-          <ulink
-          url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)
-          and you are running Shorewall 4.5.5 or earlier.</para>
+          here. You can use the same marks for different interfaces.</para>

-          <para>You can use the same marks for different interfaces.</para>
+          <para>The <replaceable>priority</replaceable>, if specified, is an
+          integer in the range 1-65535 and determines the relative order in
+          which the tc mark classification filter for this class is to be
+          applied to packets being sent on the
+          <replaceable>interface</replaceable>. Filters are applied in
+          ascending numerical order. If not supplied, the value is derived
+          from the class priority (PRIORITY column value below):
+          (<replaceable>class priority</replaceable> &lt;&lt; 8) | 20.</para>
        </listitem>
      </varlistentry>

@@ -293,7 +296,7 @@
                <para>This is the default class for that interface where all
                traffic should go, that is not classified otherwise.</para>

-                <para></para>
+                <para/>

                <note>
                  <para>You must define <emphasis
@@ -320,7 +323,7 @@
                priority determines the order in which filter rules are
                processed during packet classification. If not specified, the
                value (<replaceable>class priority</replaceable> &lt;&lt; 8) |
-                10) is used.</para>
+                15) is used.</para>
              </listitem>
            </varlistentry>

@@ -339,7 +342,7 @@
                (":") and a <replaceable>priority</replaceable>. This priority
                determines the order in which filter rules are processed
                during packet classification. If not specified, the value
-                (<replaceable>class priority</replaceable> &lt;&lt; 8) | 10)
+                (<replaceable>class priority</replaceable> &lt;&lt; 8) | 15)
                is used.</para>

                <programlisting>        <emphasis role="bold">tos-minimize-delay</emphasis>       0x10/0x10
@@ -372,7 +375,7 @@
                (":") and a <replaceable>priority</replaceable>. This priority
                determines the order in which filter rules are processed
                during packet classification. If not specified, the value
-                (<replaceable>class priority</replaceable> &lt;&lt; 8) | 20)
+                (<replaceable>class priority</replaceable> &lt;&lt; 8) | 10)
                is used.</para>

                <note>
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -761,15 +761,38 @@

      <varlistentry>
        <term><emphasis role="bold">DYNAMIC_BLACKLIST=</emphasis>{<emphasis
-        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
+        role="bold">Yes</emphasis>|<emphasis
+        role="bold">No</emphasis>||<emphasis
+        role="bold">ipset</emphasis>[<emphasis
+        role="bold">-only</emphasis>][,<emphasis
+        role="bold">src-dst</emphasis>][:[<replaceable>setname</replaceable>][:<replaceable>log_level</replaceable>|:l<replaceable>og_tag</replaceable>]]]}</term>

        <listitem>
          <para>Added in Shorewall 4.4.7. When set to <emphasis
          role="bold">No</emphasis> or <emphasis role="bold">no</emphasis>,
-          dynamic blacklisting using the <command>shorewall drop</command>,
-          <command>shorewall reject</command>, <command>shorewall
-          logdrop</command> and <command>shorewall logreject</command> is
-          disabled. Default is <emphasis role="bold">Yes</emphasis>.</para>
+          chain-based dynamic blacklisting using the <command>shorewall6
+          drop</command>, <command>shorewall6 reject</command>,
+          <command>shorewall6 logdrop</command> and <command>shorewall6
+          logreject</command> is disabled. Default is <emphasis
+          role="bold">Yes</emphasis>. Beginning with Shorewall 5.0.8,
+          ipset-based dynamic blacklisting is also supported. The name of the
+          set (<replaceable>setname</replaceable>) and the level
+          (<replaceable>log_level</replaceable>), if any, at which blacklisted
+          traffic is to be logged may also be specified. The default set name
+          is SW_DBL4 and the default log level is <option>none</option> (no
+          logging). if <option>ipset-only</option> is given, then chain-based
+          dynamic blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No
+          had been specified. Normally, only packets whose source address
+          matches an entry in the ipsec are dropped. If
+          <option>src-dst</option> is included, then packets whose destination
+          address matches an entry in the ipset are also dropped.</para>
+
+          <para>When ipset-based dynamic blacklisting is enabled, the contents
+          of the blacklist will be preserved over
+          <command>stop</command>/<command>reboot</command>/<command>start</command>
+          sequences if SAVE_IPSETS=Yes, SAVE_IPSETS=ipv4 or if
+          <replaceable>setname</replaceable> is included in the list of sets
+          to be saved in SAVE_IPSETS.</para>
        </listitem>
      </varlistentry>

@@ -824,7 +847,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
          packets until these packets reach the chain in which the original
          connection was accepted. So for packets going from the 'loc' zone to
          the 'net' zone, ESTABLISHED/RELATED packets are ACCEPTED in the
-          'loc2net' chain.</para>
+          'loc-net' or 'loc2net' chain, depending on the setting of ZONE2ZONE
+          (see below).</para>

          <para>If you set FASTACCEPT=Yes, then ESTABLISHED/RELATED packets
          are accepted early in the INPUT, FORWARD and OUTPUT chains. If you
@@ -998,7 +1022,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
          iptables text in a rule. You may simply preface that text with a
          pair of semicolons (";;"). If alternate input is also specified in
          the rule, it should appear before the semicolons and may be
-          seperated from normal column input by a single semicolon.</para>
+          separated from normal column input by a single semicolon.</para>
        </listitem>
      </varlistentry>

@@ -1548,6 +1572,18 @@ LOG:info:,bar                        net                    fw</programlisting>
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">MINIUPNPD=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.8. If set to Yes, Shorewall will create
+          a chain in the nat table named MINIUPNPD-POSTROUTING and will add
+          jumps from POSTROUTING to that chain for each interface with the
+          <option>upnpd</option> option specified. Default is No.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis
        role="bold">MARK_IN_FORWARD_CHAIN=</emphasis>[<emphasis
@@ -1636,7 +1672,7 @@ LOG:info:,bar                        net                    fw</programlisting>

      <varlistentry>
        <term><emphasis
-        role="bold">MODULESDIR=</emphasis>[<emphasis>pathname</emphasis>[<emphasis
+        role="bold">MODULESDIR=</emphasis>[[+]<emphasis>pathname</emphasis>[<emphasis
        role="bold">:</emphasis><emphasis>pathname</emphasis>]...]</term>

        <listitem>
@@ -1647,6 +1683,10 @@ LOG:info:,bar                        net                    fw</programlisting>
          where <emphasis role="bold">uname</emphasis> holds the output of
          '<command>uname -r</command>' and <emphasis
          role="bold">g_family</emphasis> holds '4'.</para>
+
+          <para>The option plus sign ('+') was added in Shorewall 5.0.3 and
+          causes the listed pathnames to be appended to the default list
+          above.</para>
        </listitem>
      </varlistentry>

@@ -2464,9 +2504,11 @@ INLINE          -       -       -       ; -j REJECT
          <para>If specified, determines where Shorewall will log the details
          of each <emphasis role="bold">start</emphasis>, <emphasis
          role="bold">reload</emphasis>, <emphasis
-          role="bold">restart</emphasis> and <emphasis
-          role="bold">refresh</emphasis> command. Logging verbosity is
-          determined by the setting of LOG_VERBOSITY above.</para>
+          role="bold">restart</emphasis>, <emphasis
+          role="bold">refresh</emphasis>, <emphasis
+          role="bold">try</emphasis>, and <emphasis
+          role="bold">safe-</emphasis>* command. Logging verbosity is
+          determined by the setting of LOG_VERBOSITY above. </para>
        </listitem>
      </varlistentry>

--- a/Shorewall/manpages/shorewall.xml
+++ b/Shorewall/manpages/shorewall.xml
@@ -49,6 +49,19 @@
      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>

+    <cmdsynopsis>
+      <command>shorewall</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>blacklist</option></arg>
+
+      <arg choice="plain"><replaceable>address</replaceable></arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall</command>

@@ -955,6 +968,25 @@
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">blacklist</emphasis>
+        <replaceable>address</replaceable> [ <replaceable>option</replaceable>
+        ... ]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.8 and requires
+          DYNAMIC_BLACKLIST=ipset.. in <ulink
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).
+          Causes packets from the given host or network
+          <replaceable>address</replaceable> to be dropped, based on the
+          setting of BLACKLIST in <ulink
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). The
+          <replaceable>address</replaceable> along with any
+          <replaceable>option</replaceable>s are passed to the <command>ipset
+          add</command> command.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">call <replaceable>function</replaceable> [
        <replaceable>parameter</replaceable> ... ]</emphasis></term>
@@ -2593,6 +2625,34 @@
    started.</para>
  </refsect1>

+  <refsect1>
+    <title>ENVIRONMENT</title>
+
+    <para>Two environmental variables are recognized by Shorewall:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term>SHOREWALL_INIT_SCRIPT</term>
+
+        <listitem>
+          <para>When set to 1, causes Std out to be redirected to the file
+          specified in the STARTUP_LOG option in <ulink
+          url="shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>SW_LOGGERTAG</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.8. When set to a non-empty value, that
+          value is passed to the logger utility in its -t (--tag)
+          option.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
  <refsect1>
    <title>FILES</title>

--- a/Shorewall/modules.essential
+++ b/Shorewall/modules.essential
@@ -1,16 +1,16 @@
 #
-# Shorewall version 5 - Essential Modules File
+# Shorewall -- /usr/share/shorewall/modules.essential
 #
-# /usr/share/shorewall/modules.essential
+# Essential Modules File
 #
-#	This file loads the modules that may be needed by the firewall.
+# This file loads the modules that may be needed by the firewall.
 #
-#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-#	dependency order. i.e., if M2 depends on M1 then you must load M1
-#	before you load M2.
+# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
+# dependency order. i.e., if M2 depends on M1 then you must load M1
+# before you load M2.
 #
-#  If you need to modify this file, copy it to /etc/shorewall and modify the
-#  copy.
+# If you need to modify this file, copy it to /etc/shorewall and modify the
+# copy.
 #
 ###############################################################################
 #
--- a/Shorewall/modules.extensions
+++ b/Shorewall/modules.extensions
@@ -1,16 +1,16 @@
 #
-# Shorewall version 5 - Extensions Modules File
+# Shorewall -- /usr/share/shorewall/modules.extensions
 #
-# /usr/share/shorewall/modules.extensions
+# Extensions Modules File
 #
-#	This file loads the modules that may be needed by the firewall.
+# This file loads the modules that may be needed by the firewall.
 #
-#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-#	dependency order. i.e., if M2 depends on M1 then you must load M1
-#	before you load M2.
+# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
+# dependency order. i.e., if M2 depends on M1 then you must load M1
+# before you load M2.
 #
-#  If you need to modify this file, copy it to /etc/shorewall and modify the
-#  copy.
+# If you need to modify this file, copy it to /etc/shorewall and modify the
+# copy.
 #
 ###############################################################################
 loadmodule ipt_addrtype
--- a/Shorewall/modules.ipset
+++ b/Shorewall/modules.ipset
@@ -1,16 +1,16 @@
 #
-# Shorewall version 5 - IP Set Modules File
+# Shorewall -- /usr/share/shorewall/modules.ipset
 #
-# /usr/share/shorewall/modules.ipset
+# IP Set Modules File
 #
-#	This file loads the modules that may be needed by the firewall.
+# This file loads the modules that may be needed by the firewall.
 #
-#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-#	dependency order. i.e., if M2 depends on M1 then you must load M1
-#	before you load M2.
+# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
+# dependency order. i.e., if M2 depends on M1 then you must load M1
+# before you load M2.
 #
-#  If you need to modify this file, copy it to /etc/shorewall and modify the
-#  copy.
+# If you need to modify this file, copy it to /etc/shorewall and modify the
+# copy.
 #
 ###############################################################################
 loadmodule xt_set
--- a/Shorewall/modules.tc
+++ b/Shorewall/modules.tc
@@ -1,16 +1,16 @@
 #
-# Shorewall version 5 - Traffic Shaping Modules File
+# Shorewall -- /usr/share/shorewall/modules.tc
 #
-# /usr/share/shorewall/modules.tc
+# Traffic Shaping Modules File
 #
-#	This file loads the modules that may be needed by the firewall.
+# This file loads the modules that may be needed by the firewall.
 #
-#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-#	dependency order. i.e., if M2 depends on M1 then you must load M1
-#	before you load M2.
+# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
+# dependency order. i.e., if M2 depends on M1 then you must load M1
+# before you load M2.
 #
-#  If you need to modify this file, copy it to /etc/shorewall and modify the
-#  copy.
+# If you need to modify this file, copy it to /etc/shorewall and modify the
+# copy.
 #
 ###############################################################################
 loadmodule sch_sfq
--- a/Shorewall/modules.xtables
+++ b/Shorewall/modules.xtables
@@ -1,16 +1,16 @@
 #
-# Shorewall version 5 - Xtables Modules File
+# Shorewall -- /usr/share/shorewall/modules.xtables
 #
-# /usr/share/shorewall/modules.xtables
+# Xtables Modules File
 #
-#	This file loads the modules that may be needed by the firewall.
+# This file loads the modules that may be needed by the firewall.
 #
-#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-#	dependency order. i.e., if M2 depends on M1 then you must load M1
-#	before you load M2.
+# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
+# dependency order. i.e., if M2 depends on M1 then you must load M1
+# before you load M2.
 #
-#  If you need to modify this file, copy it to /etc/shorewall and modify the
-#  copy.
+# If you need to modify this file, copy it to /etc/shorewall and modify the
+# copy.
 #
 ###############################################################################
 loadmodule xt_AUDIT
--- a/Shorewall6-lite/README.txt
+++ b/Shorewall6-lite/README.txt
@@ -1 +0,0 @@
-This is the Shorewall6-lite stable 4.4 branch of Git.
--- a/Shorewall6-lite/manpages/shorewall6-lite.xml
+++ b/Shorewall6-lite/manpages/shorewall6-lite.xml
@@ -47,6 +47,19 @@
      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>

+    <cmdsynopsis>
+      <command>shorewall6-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>blacklist</option></arg>
+
+      <arg choice="plain"><replaceable>address</replaceable></arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall6-lite</command>

@@ -670,6 +683,25 @@
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">blacklist</emphasis>
+        <replaceable>address</replaceable> [ <replaceable>option</replaceable>
+        ... ]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.8 and requires
+          DYNAMIC_BLACKLIST=ipset.. in <ulink
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
+          Causes packets from the given host or network
+          <replaceable>address</replaceable> to be dropped, based on the
+          setting of BLACKLIST in <ulink
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
+          The <replaceable>address</replaceable> along with any
+          <replaceable>option</replaceable>s are passed to the <command>ipset
+          add</command> command.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">call <replaceable>function</replaceable> [
        <replaceable>parameter</replaceable> ... ]</emphasis></term>
@@ -1515,6 +1547,35 @@
    started.</para>
  </refsect1>

+  <refsect1>
+    <title>ENVIRONMENT</title>
+
+    <para>Two environmental variables are recognized by
+    Shorewall6-lite:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term>SHOREWALL_INIT_SCRIPT</term>
+
+        <listitem>
+          <para>When set to 1, causes Std out to be redirected to the file
+          specified in the STARTUP_LOG option in <ulink
+          url="shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>SW_LOGGERTAG</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.8. When set to a non-empty value, that
+          value is passed to the logger utility in its -t (--tag)
+          option.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
  <refsect1>
    <title>See ALSO</title>

--- a/Shorewall6/README.txt
+++ b/Shorewall6/README.txt
@@ -1 +0,0 @@
-This is the Shorewall6 stable 4.4 branch of Git.
--- a/Shorewall6/action.A_AllowICMPs
+++ b/Shorewall6/action.A_AllowICMPs
@@ -1,13 +1,11 @@
 #
-# Shorewall6 version 5 - Audited AllowICMPs Action
+# Shorewall6 -- /usr/share/shorewall6/action.A_AllowICMPs
 #
-# /usr/share/shorewall6/action.A_AllowICMPs
-#
-#	This action A_ACCEPTs needed ICMP types
+# This action A_ACCEPTs needed ICMP types
 #
 ###############################################################################
-#TARGET		SOURCE		DEST	PROTO		DEST
-#							PORT(S)
+#ACTION		SOURCE		DEST	PROTO		DPORT
+
 ?comment Needed ICMP types (RFC4890)

 A_ACCEPT	-		-	ipv6-icmp	destination-unreachable
--- a/Shorewall6/action.A_Drop
+++ b/Shorewall6/action.A_Drop
@@ -1,52 +0,0 @@
-#
-# Shorewall6 version 5 - Audited Drop Action
-#
-# /usr/share/shorewall6/action.ADrop
-#
-#	The Audited default DROP common rules
-#
-#	This action is invoked before a DROP policy is enforced. The purpose
-#	of the action is:
-#
-#	a) Avoid logging lots of useless cruft.
-#	b) Ensure that 'auth' requests are rejected, even if the policy is
-#	   DROP. Otherwise, you may experience problems establishing
-#	   connections with servers that use auth.
-#	c) Ensure that certain ICMP packets that are necessary for successful
-#	   internet operation are always ACCEPTed.
-#
-# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
-#
-###############################################################################
-#TARGET			SOURCE	DEST	PROTO	DPORT	SPORT
-#
-# Reject 'auth'
-#
-Auth(A_REJECT)
-#
-# ACCEPT critical ICMP types
-#
-A_AllowICMPs		-	-	ipv6-icmp
-#
-# Drop Broadcasts so they don't clutter up the log
-# (broadcasts must *not* be rejected).
-#
-dropBcast(audit)
-#
-# Drop packets that are in the INVALID state -- these are usually ICMP packets
-# and just confuse people when they appear in the log.
-#
-dropInvalid(audit)
-#
-# Drop Microsoft noise so that it doesn't clutter up the log.
-#
-SMB(A_DROP)
-#
-# Drop 'newnotsyn' traffic so that it doesn't get logged.
-#
-dropNotSyn(audit)	-	-	tcp
-#
-# Drop late-arriving DNS replies. These are just a nuisance and clutter up
-# the log.
-#
-A_DropDNSrep
--- a/Shorewall6/action.A_Reject
+++ b/Shorewall6/action.A_Reject
@@ -1,50 +0,0 @@
-#
-# Shorewall6 version 5 - Audited Reject Action
-#
-# /usr/share/shorewall6/action.A_Reject
-#
-#	The audited default REJECT action common rules
-#
-#	This action is invoked before a REJECT policy is enforced. The purpose
-#	of the action is:
-#
-#	a) Avoid logging lots of useless cruft.
-#	b) Ensure that certain ICMP packets that are necessary for successful
-#	   internet operation are always ACCEPTed.
-#
-# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
-###############################################################################
-#TARGET			SOURCE	DEST	PROTO
-#
-# Don't log 'auth' -- REJECT
-#
-Auth(A_REJECT)
-#
-# Drop Multicasts so they don't clutter up the log
-# (broadcasts must *not* be rejected).
-#
-A_AllowICMPs		-	-	ipv6-icmp
-#
-# Drop Broadcasts so they don't clutter up the log
-# (broadcasts must *not* be rejected).
-#
-dropBcast(audit)
-#
-# Drop packets that are in the INVALID state -- these are usually ICMP packets
-# and just confuse people when they appear in the log (these ICMPs cannot be
-# rejected).
-#
-dropInvalid(audit)
-#
-# Reject Microsoft noise so that it doesn't clutter up the log.
-#
-SMB(A_REJECT)
-#
-# Drop 'newnotsyn' traffic so that it doesn't get logged.
-#
-dropNotSyn(audit)	-	-	tcp
-#
-# Drop late-arriving DNS replies. These are just a nuisance and clutter up
-# the log.
-#
-A_DropDNSrep
--- a/Shorewall6/action.AllowICMPs
+++ b/Shorewall6/action.AllowICMPs
@@ -1,13 +1,10 @@
 #
-# Shorewall6 version 5 - AllowICMPs Action
+# Shorewall6 -- /usr/share/shorewall6/action.AllowICMPs
 #
-# /usr/share/shorewall6/action.AllowICMPs
-#
-#	This action ACCEPTs needed ICMP types
+# This action ACCEPTs needed ICMP types
 #
 ###############################################################################
-#TARGET	SOURCE		DEST	PROTO		DEST
-#						PORT(S)
+#ACTION	SOURCE		DEST	PROTO		DPORT

 DEFAULTS ACCEPT

--- a/Shorewall6/action.Broadcast
+++ b/Shorewall6/action.Broadcast
@@ -1,32 +1,32 @@
 #
-# Shorewall 4 - Multicast/Anycast Action
+# Shorewall6 -- /usr/share/shorewall6/action.Broadcast
 #
-#    /usr/share/shorewall/action.Broadcast
+# Multicast/Anycast IPv6 Action
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.net
 #
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
 #
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
 #
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   Broadcast[([<action>|-[,{audit|-}])]
+# Broadcast[([<action>|-[,{audit|-}])]
 #
-#       Default action is DROP
+# Default action is DROP
 #
-##########################################################################################
+###############################################################################

 DEFAULTS DROP,-

--- a/Shorewall6/action.Drop
+++ b/Shorewall6/action.Drop
@@ -1,91 +0,0 @@
-#
-# Shorewall6 version 5 - Drop Action
-#
-# /usr/share/shorewall6/action.Drop
-#
-#	The default DROP common rules
-#
-#	This action is invoked before a DROP policy is enforced. The purpose
-#	of the action is:
-#
-#	a) Avoid logging lots of useless cruft.
-#	b) Ensure that 'auth' requests are rejected, even if the policy is
-#	   DROP. Otherwise, you may experience problems establishing
-#	   connections with servers that use auth.
-#	c) Ensure that certain ICMP packets that are necessary for successful
-#	   internet operation are always ACCEPTed.
-#
-#  The action accepts five optional parameters:
-#
-#	1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
-#           actions.
-#       2 - Action to take with Auth requests. Default is REJECT or A_REJECT,
-#           depending on the setting of the first parameter.
-#	3 - Action to take with SMB requests. Default is DROP or A_DROP,
-#           depending on the setting of the first parameter.
-#       4 - Action to take with required ICMP packets. Default is ACCEPT or
-#           A_ACCEPT depending on the first parameter.
-#       5 - Action to take with late UDP replies (UDP source port 53). Default
-#           is DROP or A_DROP depending on the first parameter.
-#
-# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
-#
-###############################################################################
-#
-# The following magic provides different defaults for $2 thru $5, when $1 is
-# 'audit'.
-#
-?begin perl;
-use Shorewall::Config;
-
-my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
-
-if ( defined $p1 ) {
-    if ( $p1 eq 'audit' ) {
-	set_action_param( 2, 'A_REJECT')   unless supplied $p2;
-	set_action_param( 3, 'A_DROP')     unless supplied $p3;
-	set_action_param( 4, 'A_ACCEPT' )  unless supplied $p4;
-	set_action_param( 5, 'A_DROP' )    unless supplied $p5;
-    } else {
-	fatal_error "Invalid value ($p1) for first Drop parameter" if supplied $p1;
-    }
-}
-
-1;
-
-?end perl;
-
-DEFAULTS -,REJECT,DROP,ACCEPT,DROP
-
-#TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
-#
-# Reject 'auth'
-#
-Auth($2)
-#
-# ACCEPT critical ICMP types
-#
-AllowICMPs($4)	-	-	ipv6-icmp
-#
-# Drop Broadcasts so they don't clutter up the log
-# (broadcasts must *not* be rejected).
-#
-Broadcast(DROP,$1)
-#
-# Drop packets that are in the INVALID state -- these are usually ICMP packets
-# and just confuse people when they appear in the log.
-#
-Invalid(DROP,$1)
-#
-# Drop Microsoft noise so that it doesn't clutter up the log.
-#
-SMB($3)
-#
-# Drop 'newnotsyn' traffic so that it doesn't get logged.
-#
-NotSyn(DROP,$1)	-	-	tcp
-#
-# Drop late-arriving DNS replies. These are just a nuisance and clutter up
-# the log.
-#
-DropDNSrep($5)
--- a/Shorewall6/action.Reject
+++ b/Shorewall6/action.Reject
@@ -1,89 +0,0 @@
-#
-# Shorewall6 version 5 - Reject Action
-#
-# /usr/share/shorewall6/action.Reject
-#
-#	The default REJECT action common rules
-#
-#	This action is invoked before a REJECT policy is enforced. The purpose
-#	of the action is:
-#
-#	a) Avoid logging lots of useless cruft.
-#	b) Ensure that certain ICMP packets that are necessary for successful
-#	   internet operation are always ACCEPTed.
-#
-#  The action accepts five optional parameters:
-#
-#	1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
-#           actions.
-#       2 - Action to take with Auth requests. Default is REJECT or A_REJECT,
-#           depending on the setting of the first parameter.
-#	3 - Action to take with SMB requests. Default is REJECT or A_REJECT,
-#           depending on the setting of the first parameter.
-#       4 - Action to take with required ICMP packets. Default is ACCEPT or
-#           A_ACCEPT depending on the first parameter.
-#       5 - Action to take with late UDP replies (UDP source port 53). Default
-#           is DROP or A_DROP depending on the first parameter.
-#
-# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
-###############################################################################
-#
-# The following magic provides different defaults for $2 thru $5, when $1 is
-# 'audit'.
-#
-?begin perl;
-use Shorewall::Config;
-
-my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
-
-if ( defined $p1 ) {
-    if ( $p1 eq 'audit' ) {
-	set_action_param( 2, 'A_REJECT')  unless supplied $p2;
-	set_action_param( 3, 'A_REJECT')  unless supplied $p3;
-	set_action_param( 4, 'A_ACCEPT' ) unless supplied $p4;
-	set_action_param( 5, 'A_DROP' )   unless supplied $p5;
-    } else {
-	fatal_error "Invalid value ($p1) for first Reject parameter" if supplied $p1;
-    }
-}
-
-1;
-
-?end perl;
-
-DEFAULTS -,REJECT,REJECT,ACCEPT,DROP
-
-#TARGET		SOURCE	DEST	PROTO
-#
-# Don't log 'auth' -- REJECT
-#
-Auth($2)
-#
-# Drop Multicasts so they don't clutter up the log
-# (broadcasts must *not* be rejected).
-#
-AllowICMPs($4)	-	-	ipv6-icmp
-#
-# Drop Broadcasts so they don't clutter up the log
-# (broadcasts must *not* be rejected).
-#
-Broadcast(DROP,$1)
-#
-# Drop packets that are in the INVALID state -- these are usually ICMP packets
-# and just confuse people when they appear in the log (these ICMPs cannot be
-# rejected).
-#
-Invalid(DROP,$1)
-#
-# Reject Microsoft noise so that it doesn't clutter up the log.
-#
-SMB($3)
-#
-# Drop 'newnotsyn' traffic so that it doesn't get logged.
-#
-NotSyn(DROP,$1)	-	-	tcp
-#
-# Drop late-arriving DNS replies. These are just a nuisance and clutter up
-# the log.
-#
-DropDNSrep($5)
--- a/Shorewall6/action.mangletemplate
+++ b/Shorewall6/action.mangletemplate
@@ -0,0 +1,19 @@
+#
+# Shorewall6 -- /usr/share/shorewall6/action.mangletemplate
+#
+# This file is a template for files with names of the form
+# /etc/shorewall/action.<action-name> where <action> is an
+# ACTION defined with the mangle option in /etc/shorewall/actions.
+#
+# To define a new action:
+#
+# 1. Add the <action name> to /etc/shorewall6/actions with the mangle option
+# 2. Copy this file to /etc/shorewall6/action.<action name>
+# 3. Add the desired rules to that file.
+#
+# Please see http://shorewall.net/Actions.html for additional information.
+#
+# Columns are the same as in /etc/shorewall6/mangle.
+#
+############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	HEADERS	PROBABILITY	DSCP
--- a/Shorewall6/action.template
+++ b/Shorewall6/action.template
@@ -1,25 +1,21 @@
 #
-# Shorewall version 5 - Action Template
+# Shorewall6 -- /usr/share/shorewall6/action.template
 #
-# /etc/shorewall6/action.template
+# Action Template
 #
-#	This file is a template for files with names of the form
-#	/etc/shorewall/action.<action-name> where <action> is an
-#	ACTION defined in /etc/shorewall/actions.
+# This file is a template for files with names of the form
+# /etc/shorewall/action.<action-name> where <action> is an
+# ACTION defined in /etc/shorewall/actions.
 #
-#	To define a new action:
+# To define a new action:
 #
-#	1. Add the <action name> to /etc/shorewall/actions
-#	2. Copy this file to /etc/shorewall/action.<action name>
-#	3. Add the desired rules to that file.
+# 1. Add the <action name> to /etc/shorewall/actions
+# 2. Copy this file to /etc/shorewall/action.<action name>
+# 3. Add the desired rules to that file.
 #
-#	Please see http://shorewall.net/Actions.html for additional
-#	information.
+# Please see http://shorewall.net/Actions.html for additional information.
 #
 # Columns are the same as in /etc/shorewall6/rules.
 #
-#######################################################################################################
-#                                         DO NOT REMOVE THE FOLLOWING LINE
-#####################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH    HELPER
-#							PORT	PORT(S)		DEST		LIMIT		GROUP
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
--- a/Shorewall6/actions.std
+++ b/Shorewall6/actions.std
@@ -8,11 +8,12 @@
 #
 # Builtin Actions are:
 #
-#    allowBcasts        # Accept multicast and anycast packets
-#    dropBcasts         # Silently Drop multicast and anycast packets
-#    dropNotSyn		# Silently Drop Non-syn TCP packets
-#    rejNotSyn		# Silently Reject Non-syn TCP packets
-#
+?if 0
+allowBcasts                     # Accept multicast and anycast packets
+dropBcasts                      # Silently Drop multicast and anycast packets
+dropNotSyn		        # Silently Drop Non-syn TCP packets
+rejNotSyn		        # Silently Reject Non-syn TCP packets
+?endif
 ###############################################################################
 #ACTION
 A_Drop	                        # Audited Default Action for DROP policy
@@ -26,15 +27,19 @@ Broadcast    noinline      	# Handles Broadcast/Multicast/Anycast
 Drop		        	# Default Action for DROP policy
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
 DropSmurfs   noinline     	# Handles packets with a broadcast source address
-Established  inline		# Handles packets in the ESTABLISHED state
+Established  inline,\		# Handles packets in the ESTABLISHED state
+	     state=ESTABLISHED
 IfEvent      noinline           # Perform an action based on an event
-Invalid	     inline		# Handles packets in the INVALID conntrack state
-New	     inline             # Handles packets in the NEW conntrack state
+Invalid      inline,audit,\     # Handles packets in the INVALID conntrack state
+             state=INVALID
+New	     inline,state=NEW	# Handles packets in the NEW conntrack state
 NotSyn	     inline 		# Handles TCP packets that do not have SYN=1 and ACK=0
 Reject		        	# Default Action for REJECT policy
-Related      inline             # Handles packets in the RELATED conntrack state
+Related      inline,\		# Handles packets in the RELATED conntrack state
+             state=RELATED
 ResetEvent   inline		# Reset an Event
 RST	     inline             # Handle packets with RST set
 SetEvent     inline		# Initialize an event
 TCPFlags    			# Handles bad flags combinations
-Untracked    inline             # Handles packets in the UNTRACKED conntrack state
+Untracked    inline,\           # Handles packets in the UNTRACKED conntrack state
+	     state=UNTRACKED
--- a/Shorewall6/init.sh
+++ b/Shorewall6/init.sh
@@ -83,7 +83,7 @@ case "$command" in
 	exec ${SBINDIR}/shorewall6 $OPTIONS restart $RESTARTOPTIONS
 	;;
    status|stop)
-	exec ${SBINDIR}/shorewall6 $OPTIONS $command $@
+	exec ${SBINDIR}/shorewall6 $OPTIONS $command
 	;;
    *)
 	usage
--- a/Shorewall6/lib.base
+++ b/Shorewall6/lib.base
@@ -1,24 +1,24 @@
 #
-# Shorewall 4.4 -- /usr/share/shorewall6/lib.base
+# Shorewall -- /usr/share/shorewall6/lib.base
 #
-#     (c) 2011,2014 - Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.net
 #
-#       This program is part of Shorewall.
+# This program is part of Shorewall.
 #
-#	This program is free software; you can redistribute it and/or modify
-#	it under the terms of the GNU General Public License as published by the
-#       Free Software Foundation, either version 2 of the license or, at your
-#       option, any later version.
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by the
+# Free Software Foundation, either version 2 of the license or, at your
+# option, any later version.
 #
-#	This program is distributed in the hope that it will be useful,
-#	but WITHOUT ANY WARRANTY; without even the implied warranty of
-#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#	GNU General Public License for more details.
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
 #
-#	You should have received a copy of the GNU General Public License
-#	along with this program; if not, see <http://www.gnu.org/licenses/>.
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 # This library contains the code common to all Shorewall components.

--- a/Shorewall6/manpages/shorewall6-actions.xml
+++ b/Shorewall6/manpages/shorewall6-actions.xml
@@ -53,6 +53,18 @@
          <para>Added in Shorewall 4.5.10. Available options are:</para>

          <variablelist>
+            <varlistentry>
+              <term><option>audit</option></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.7. When this option is specified,
+                the action is expected to have at least two parameters; the
+                first is a target and the second is either 'audit' or omitted.
+                If the second is 'audit', then the first must be an auditable
+                target (ACCEPT, DROP or REJECT).</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term>builtin</term>

@@ -87,7 +99,7 @@
            </varlistentry>

            <varlistentry>
-              <term>inline</term>
+              <term><option>inline</option></term>

              <listitem>
                <para>Causes the action body (defined in
@@ -103,10 +115,10 @@
                  way:</para>

                  <simplelist>
-                    <member>Broadcast</member>
-
                    <member>DropSmurfs</member>

+                    <member>IfEvent</member>
+
                    <member>Invalid (Prior to Shorewall 4.5.13)</member>

                    <member>NotSyn (Prior to Shorewall 4.5.13)</member>
@@ -120,7 +132,19 @@
            </varlistentry>

            <varlistentry>
-              <term>noinline</term>
+              <term><option>mangle</option></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.7. Specifies that this action is
+                to be used in <ulink
+                url="shorewall6-mangle.html">shorewall6-mangle(5)</ulink>
+                rather than <ulink
+                url="shorewall6-rules.html">shorewall6-rules(5)</ulink>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><option>noinline</option></term>

              <listitem>
                <para>Causes any later <option>inline</option> option for the
@@ -129,7 +153,7 @@
            </varlistentry>

            <varlistentry>
-              <term>nolog</term>
+              <term><option>nolog</option></term>

              <listitem>
                <para>Added in Shorewall 4.5.11. When this option is
@@ -143,7 +167,16 @@
            </varlistentry>

            <varlistentry>
-              <term>terminating</term>
+              <term><option>state</option>={<option>UNTRACKED</option>|<option>NEW</option>|<option>ESTABLISHED</option>|<option>RELATED</option>|<option>INVALID</option>}</term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.7. Reserved for use by Shorewall
+                in <filename>actions.std</filename>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><option>terminating</option></term>

              <listitem>
                <para>Added in Shorewall 4.6.4. When used with
--- a/Shorewall6/manpages/shorewall6-interfaces.xml
+++ b/Shorewall6/manpages/shorewall6-interfaces.xml
@@ -365,6 +365,15 @@ loc     eth2            -</programlisting>
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis role="bold">nodbl</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.8. When specified, dynamic
+                blacklisting is disabled on the interface.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis role="bold">optional</emphasis></term>

--- a/Shorewall6/manpages/shorewall6-mangle.xml
+++ b/Shorewall6/manpages/shorewall6-mangle.xml
@@ -69,8 +69,9 @@
        <replaceable>command</replaceable>[(<replaceable>parameters</replaceable>)][:<replaceable>chain-designator</replaceable>]</term>

        <listitem>
-          <para>The chain-specifier indicates the Netfilter chain that the
-          entry applies to and may be one of the following:</para>
+          <para>The <replaceable>chain-designator</replaceable> indicates the
+          Netfilter chain that the entry applies to and may be one of the
+          following:</para>

          <variablelist>
            <varlistentry>
@@ -112,10 +113,14 @@
          url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>,
          and FORWARD when MARK_IN_FORWARD_CHAIN=Yes.</para>

-          <para>A chain-designator may not be specified if the SOURCE or DEST
-          columns begin with '$FW'. When the SOURCE is $FW, the generated rule
-          is always placed in the OUTPUT chain. If DEST is '$FW', then the
-          rule is placed in the INPUT chain.</para>
+          <para>A <replaceable>chain-designator</replaceable> may not be
+          specified if the SOURCE or DEST columns begin with '$FW'. When the
+          SOURCE is $FW, the generated rule is always placed in the OUTPUT
+          chain. If DEST is '$FW', then the rule is placed in the INPUT chain.
+          Additionally, a <replaceable>chain-designator</replaceable> may not
+          be specified in an action body unless the action is declared as
+          <option>inline</option> in <ulink
+          url="shorewall6-actions.html">shorewall6-actions</ulink>(5).</para>

          <para>Where a command takes parameters, those parameters are
          enclosed in parentheses ("(....)") and separated by commas.</para>
@@ -124,6 +129,21 @@
          following.</para>

          <variablelist>
+            <varlistentry>
+              <term><emphasis
+              role="bold"><replaceable>action</replaceable>[([<replaceable>param</replaceable>[,...])]</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.7.
+                <replaceable>action</replaceable> must be an action declared
+                with the <option>mangle</option> option in <ulink
+                url="manpages6/shorewall6-actions.html">shorewall6-actions(5)</ulink>.
+                If the action accepts paramaters, they are specified as a
+                comma-separated list within parentheses following the
+                <replaceable>action</replaceable> name.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis
              role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
@@ -381,7 +401,7 @@ DIVERTHA        -               -               tcp</programlisting>
                <para>Allows you to place your own ip[6]tables matches at the
                end of the line following a semicolon (";"). If an
                <replaceable>action</replaceable> is specified, the compiler
-                procedes as if that <replaceable>action</replaceable> had been
+                proceeds as if that <replaceable>action</replaceable> had been
                specified in this column. If no action is specified, then you
                may include your own jump ("-j
                <replaceable>target</replaceable>
@@ -495,7 +515,7 @@ INLINE                eth0              -                 ; -p tcp -j MARK --set

                    <member>0xc0a80403 LAND 0xFF = 0x03</member>

-                    <member>0x03 LOR 0x0x10100 = 0x10103 or class ID
+                    <member>0x03 LOR 0x10100 = 0x10103 or class ID
                    1:103</member>
                  </simplelist>
                </blockquote>
--- a/Shorewall6/manpages/shorewall6-rules.xml
+++ b/Shorewall6/manpages/shorewall6-rules.xml
@@ -303,6 +303,18 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis
+              role="bold">CONMARK({<replaceable>mark</replaceable>})</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.7, CONNMARK is identical to MARK
+                with the exception that the mark is assigned to connection to
+                which the packet belongs is marked rather than to the packet
+                itself.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis role="bold">CONTINUE</emphasis></term>

@@ -523,6 +535,35 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis
+              role="bold">MARK({<replaceable>mark</replaceable>})</emphasis></term>
+
+              <listitem>
+                <para>where <replaceable>mark</replaceable> is a packet mark
+                value.</para>
+
+                <para>Added in Shorewall 5.0.7, MARK requires "Mark in filter
+                table" support in your kernel and iptables.</para>
+
+                <para>Normally will set the mark value of the current packet.
+                If preceded by a vertical bar ("|"), the mark value will be
+                logically ORed with the current mark value to produce a new
+                mark value. If preceded by an ampersand ("&amp;"), will be
+                logically ANDed with the current mark value to produce a new
+                mark value.</para>
+
+                <para>Both "|" and "&amp;" require Extended MARK Target
+                support in your kernel and iptables.</para>
+
+                <para>The mark value may be optionally followed by "/" and a
+                mask value (used to determine those bits of the connection
+                mark to actually be set). When a mask is specified, the result
+                of logically ANDing the mark value with the mask must be the
+                same as the mark value.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis
              role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>
@@ -632,11 +673,37 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">REJECT</emphasis></term>
+              <term><emphasis
+              role="bold">REJECT[(<replaceable>option</replaceable>)]</emphasis></term>

              <listitem>
                <para>disallow the request and return an icmp-unreachable or
-                an RST packet.</para>
+                an RST packet. If no option is passed, Shorewall selects the
+                appropriate option based on the protocol of the packet.</para>
+
+                <para>Beginning with Shorewall 5.0.8, the type of reject may
+                be specified in the <replaceable>option</replaceable>
+                paramater. Valid <replaceable>option</replaceable> values
+                are:</para>
+
+                <simplelist>
+                  <member><option>icmp6-no-route</option></member>
+
+                  <member><option>no-route</option></member>
+
+                  <member><option>i</option><option>cmp6-adm-prohibited</option></member>
+
+                  <member><option>adm-prohibited</option></member>
+
+                  <member><option>icmp6-addr-unreachable</option></member>
+
+                  <member><option>addr-unreach</option></member>
+
+                  <member><option>icmp6-port-unreachable</option></member>
+
+                  <member><option>tcp-reset</option> (the PROTO column must
+                  specify TCP)</member>
+                </simplelist>
              </listitem>
            </varlistentry>

@@ -1265,7 +1332,7 @@
          <para>When <option>s:</option> or <option>d:</option> is specified,
          the rate applies per source IP address or per destination IP address
          respectively. The <replaceable>name</replaceable>s may be chosen by
-          the user and specifiy a hash table to be used to count matching
+          the user and specify a hash table to be used to count matching
          connections. If not given, the name <emphasis
          role="bold">shorewallN</emphasis> (where N is a unique integer) is
          assumed. Where more than one rule or POLICY specifies the same name,
--- a/Shorewall6/manpages/shorewall6-tcclasses.xml
+++ b/Shorewall6/manpages/shorewall6-tcclasses.xml
@@ -152,20 +152,23 @@

      <varlistentry>
        <term><emphasis role="bold">MARK</emphasis> -
-        {-|<emphasis>value</emphasis>}</term>
+        {-|<replaceable>value</replaceable>[:<replaceable>priority</replaceable>]}</term>

        <listitem>
          <para>The mark <emphasis>value</emphasis> which is an integer in the
          range 1-255. You set mark values in the <ulink
-          url="/manpages6/shorewall6-mangle.html">shorewall6-mangle</ulink>(5)
+          url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink>(5)
          file, marking the traffic you want to fit in the classes defined in
-          here. Must be specified as '-' if the <emphasis
-          role="bold">classify</emphasis> option is given for the interface in
-          <ulink
-          url="/manpages6/shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5)
-          and you are running Shorewall 4.5 5 or earlier.</para>
+          here. You can use the same marks for different interfaces.</para>

-          <para>You can use the same marks for different interfaces.</para>
+          <para>The <replaceable>priority</replaceable>, if specified, is an
+          integer in the range 1-65535 and determines the relative order in
+          which the tc mark classification filter for this class is to be
+          applied to packets being sent on the
+          <replaceable>interface</replaceable>. Filters are applied in
+          ascending numerical order. If not supplied, the value is derived
+          from the class priority (PRIORITY column value below):
+          (<replaceable>class priority</replaceable> &lt;&lt; 8) | 20.</para>
        </listitem>
      </varlistentry>

@@ -314,7 +317,7 @@
                priority determines the order in which filter rules are
                processed during packet classification. If not specified, the
                value (<replaceable>class priority</replaceable> &lt;&lt; 8) |
-                10) is used.</para>
+                15) is used.</para>
              </listitem>
            </varlistentry>

@@ -366,7 +369,7 @@
                (":") and a <replaceable>priority</replaceable>. This priority
                determines the order in which filter rules are processed
                during packet classification. If not specified, the value
-                (<replaceable>class priority</replaceable> &lt;&lt; 8) | 20)
+                (<replaceable>class priority</replaceable> &lt;&lt; 8) | 10)
                is used.</para>

                <note>
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -623,15 +623,38 @@

      <varlistentry>
        <term><emphasis role="bold">DYNAMIC_BLACKLIST=</emphasis>{<emphasis
-        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
+        role="bold">Yes</emphasis>|<emphasis
+        role="bold">No</emphasis>||<emphasis
+        role="bold">ipset</emphasis>[<emphasis
+        role="bold">-only</emphasis>][,<emphasis
+        role="bold">src-dst</emphasis>][:[<replaceable>setname</replaceable>][:<replaceable>log_level</replaceable>|:l<replaceable>og_tag</replaceable>]]]}</term>

        <listitem>
          <para>Added in Shorewall 4.4.7. When set to <emphasis
          role="bold">No</emphasis> or <emphasis role="bold">no</emphasis>,
-          dynamic blacklisting using the <command>shorewall6 drop</command>,
-          <command>shorewall6 reject</command>, <command>shorewall6
-          logdrop</command> and <command>shorewall6 logreject</command> is
-          disabled. Default is <emphasis role="bold">Yes</emphasis>.</para>
+          chain-based dynamic blacklisting using the <command>shorewall6
+          drop</command>, <command>shorewall6 reject</command>,
+          <command>shorewall6 logdrop</command> and <command>shorewall6
+          logreject</command> is disabled. Default is <emphasis
+          role="bold">Yes</emphasis>. Beginning with Shorewall 5.0.8,
+          ipset-based dynamic blacklisting is also supported. The name of the
+          set (<replaceable>setname</replaceable>) and the level
+          (<replaceable>log_level</replaceable>), if any, at which blacklisted
+          traffic is to be logged may also be specified. The default set name
+          is SW_DBL6 and the default log level is <option>none</option> (no
+          logging). if <option>ipset-only</option> is given, then chain-based
+          dynamic blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No
+          had been specified. Normally, only packets whose source address
+          matches an entry in the ipsec are dropped. If
+          <option>src-dst</option> is included, then packets whose destination
+          address matches an entry in the ipset are also dropped.</para>
+
+          <para>When ipset-based dynamic blacklisting is enabled, the contents
+          of the blacklist will be preserved over
+          <command>stop</command>/<command>reboot</command>/<command>start</command>
+          sequences if SAVE_IPSETS=Yes or if
+          <replaceable>setname</replaceable> is included in the list of sets
+          to be saved in SAVE_IPSETS.</para>
        </listitem>
      </varlistentry>

@@ -686,7 +709,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
          packets until these packets reach the chain in which the original
          connection was accepted. So for packets going from the 'loc' zone to
          the 'net' zone, ESTABLISHED/RELATED packets are ACCEPTED in the
-          'loc2net' chain.</para>
+          'loc-net' or 'loc2net' chain, depending on the setting of ZONE2ZONE
+          (see below).</para>

          <para>If you set FASTACCEPT=Yes, then ESTABLISHED/RELATED packets
          are accepted early in the INPUT, FORWARD and OUTPUT chains. If you
@@ -846,7 +870,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
          iptables text in a rule. You may simply preface that text with a
          pair of semicolons (";;"). If alternate input is also specified in
          the rule, it should appear before the semicolons and may be
-          seperated from normal column input by a single semicolon.</para>
+          separated from normal column input by a single semicolon.</para>
        </listitem>
      </varlistentry>

@@ -1436,7 +1460,7 @@ LOG:info:,bar                        net                    fw</programlisting>

      <varlistentry>
        <term><emphasis
-        role="bold">MODULESDIR=</emphasis>[<emphasis>pathname</emphasis>[<emphasis
+        role="bold">MODULESDIR=</emphasis>[[+]<emphasis>pathname</emphasis>[<emphasis
        role="bold">:</emphasis><emphasis>pathname</emphasis>]...]</term>

        <listitem>
@@ -1447,6 +1471,10 @@ LOG:info:,bar                        net                    fw</programlisting>
          where <emphasis role="bold">uname</emphasis> holds the output of
          '<command>uname -r</command>' and <emphasis
          role="bold">g_family</emphasis> holds '6'.</para>
+
+          <para>The option plus sign ('+') was added in Shorewall 5.0.3 and
+          causes the listed pathnames to be appended to the default list
+          above.</para>
        </listitem>
      </varlistentry>

@@ -2111,11 +2139,13 @@ INLINE          -       -       -       ; -j REJECT
        role="bold">STARTUP_LOG=</emphasis>[<emphasis>pathname</emphasis>]</term>

        <listitem>
-          <para>If specified, determines where Shorewall6 will log the details
+          <para>If specified, determines where Shorewall will log the details
          of each <emphasis role="bold">start</emphasis>, <emphasis
          role="bold">reload</emphasis>, <emphasis
-          role="bold">restart</emphasis> and <emphasis
-          role="bold">refresh</emphasis> command. Logging verbosity is
+          role="bold">restart</emphasis>, <emphasis
+          role="bold">refresh</emphasis>, <emphasis
+          role="bold">try</emphasis>, and <emphasis
+          role="bold">safe-</emphasis>* command. Logging verbosity is
          determined by the setting of LOG_VERBOSITY above.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall6/manpages/shorewall6.xml
+++ b/Shorewall6/manpages/shorewall6.xml
@@ -48,6 +48,19 @@
      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>

+    <cmdsynopsis>
+      <command>shorewall6</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>blacklist</option></arg>
+
+      <arg choice="plain"><replaceable>address</replaceable></arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall6</command>

@@ -923,6 +936,25 @@
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">blacklist</emphasis>
+        <replaceable>address</replaceable> [ <replaceable>option</replaceable>
+        ... ]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.8 and requires
+          DYNAMIC_BLACKLIST=ipset.. in <ulink
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
+          Causes packets from the given host or network
+          <replaceable>address</replaceable> to be dropped, based on the
+          setting of BLACKLIST in <ulink
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
+          The <replaceable>address</replaceable> along with any
+          <replaceable>option</replaceable>s are passed to the <command>ipset
+          add</command> command.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">call <replaceable>function</replaceable> [
        <replaceable>parameter</replaceable> ... ]</emphasis></term>
@@ -2469,6 +2501,34 @@
    started.</para>
  </refsect1>

+  <refsect1>
+    <title>ENVIRONMENT</title>
+
+    <para>Two environmental variables are recognized by Shorewall6:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term>SHOREWALL_INIT_SCRIPT</term>
+
+        <listitem>
+          <para>When set to 1, causes Std out to be redirected to the file
+          specified in the STARTUP_LOG option in <ulink
+          url="shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>SW_LOGGERTAG</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.8. When set to a non-empty value, that
+          value is passed to the logger utility in its -t (--tag)
+          option.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
  <refsect1>
    <title>See ALSO</title>

--- a/Shorewall6/modules.essential
+++ b/Shorewall6/modules.essential
@@ -1,16 +1,16 @@
 #
-# Shorewall6 version 5 - Essential Modules File
+# Shorewall6 -- /usr/share/shorewall6/modules.essential
 #
-# /usr/share/shorewall6/modules.essential
+# Essential Modules File
 #
-#	This file loads the modules that may be needed by the firewall.
+# This file loads the modules that may be needed by the firewall.
 #
-#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-#	dependency order. i.e., if M2 depends on M1 then you must load M1
-#	before you load M2.
+# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
+# dependency order. i.e., if M2 depends on M1 then you must load M1
+# before you load M2.
 #
-#  If you need to modify this file, copy it to /etc/shorewall and modify the
-#  copy.
+# If you need to modify this file, copy it to /etc/shorewall and modify the
+# copy.
 #
 ###############################################################################
 loadmodule nfnetlink
--- a/Shorewall6/modules.extensions
+++ b/Shorewall6/modules.extensions
@@ -1,16 +1,16 @@
 #
-# Shorewall6 version 5 - Extensions Modules File
+# Shorewall6 -- /usr/share/shorewall6/modules.extension
 #
-# /usr/share/shorewall6/modules.extension
+# Extensions Modules File
 #
-#	This file loads the modules that may be needed by the firewall.
+# This file loads the modules that may be needed by the firewall.
 #
-#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-#	dependency order. i.e., if M2 depends on M1 then you must load M1
-#	before you load M2.
+# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
+# dependency order. i.e., if M2 depends on M1 then you must load M1
+# before you load M2.
 #
-#  If you need to modify this file, copy it to /etc/shorewall and modify the
-#  copy.
+# If you need to modify this file, copy it to /etc/shorewall and modify the
+# copy.
 #
 ###############################################################################
 loadmodule ip6_queue
--- a/Shorewall6/modules.ipset
+++ b/Shorewall6/modules.ipset
@@ -1,16 +1,16 @@
 #
-# Shorewall version 5 - IP Set Modules File
+# Shorewall6 -- /usr/share/shorewall6/modules.ipset
 #
-# /usr/share/shorewall6/modules.ipset
+# IP Set Modules File
 #
-#	This file loads the modules that may be needed by the firewall.
+# This file loads the modules that may be needed by the firewall.
 #
-#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-#	dependency order. i.e., if M2 depends on M1 then you must load M1
-#	before you load M2.
+# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
+# dependency order. i.e., if M2 depends on M1 then you must load M1
+# before you load M2.
 #
-#  If you need to modify this file, copy it to /etc/shorewall6 and modify the
-#  copy.
+# If you need to modify this file, copy it to /etc/shorewall6 and modify the
+# copy.
 #
 ###############################################################################
 loadmodule xt_set
--- a/Shorewall6/modules.tc
+++ b/Shorewall6/modules.tc
@@ -1,16 +1,16 @@
 #
-# Shorewall6 version 5 - Traffic Shaping Modules File
+# Shorewall6 -- /usr/share/shorewall6/modules.tc
 #
-# /usr/share/shorewall6/modules.tc
+# Traffic Shaping Modules File
 #
-#	This file loads the modules that may be needed by the firewall.
+# This file loads the modules that may be needed by the firewall.
 #
-#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-#	dependency order. i.e., if M2 depends on M1 then you must load M1
-#	before you load M2.
+# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
+# dependency order. i.e., if M2 depends on M1 then you must load M1
+# before you load M2.
 #
-#  If you need to modify this file, copy it to /etc/shorewall and modify the
-#  copy.
+# If you need to modify this file, copy it to /etc/shorewall and modify the
+# copy.
 #
 ###############################################################################
 loadmodule sch_sfq
--- a/Shorewall6/modules.xtables
+++ b/Shorewall6/modules.xtables
@@ -1,16 +1,16 @@
 #
-# Shorewall6 version 5 - Xtables Modules File
+# Shorewall6 -- /usr/share/shorewall6/modules.xtables
 #
-# /usr/share/shorewall6/modules.xtables
+# Xtables Modules File
 #
-#	This file loads the modules that may be needed by the firewall.
+# This file loads the modules that may be needed by the firewall.
 #
-#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-#	dependency order. i.e., if M2 depends on M1 then you must load M1
-#	before you load M2.
+# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
+# dependency order. i.e., if M2 depends on M1 then you must load M1
+# before you load M2.
 #
-#  If you need to modify this file, copy it to /etc/shorewall and modify the
-#  copy.
+# If you need to modify this file, copy it to /etc/shorewall and modify the
+# copy.
 #
 ###############################################################################
 loadmodule xt_AUDIT
--- a/docs/Actions.xml
+++ b/docs/Actions.xml
@@ -32,6 +32,8 @@

      <year>2013</year>

+      <year>2015-2016</year>
+
      <holder>Thomas M. Eastep</holder>
    </copyright>

@@ -397,6 +399,27 @@ REDIRECT       net     -       tcp     80      -       1.2.3.4</programlisting>
      url="configuration_file_basics.htm#ActionVariables">Action Variables
      section</ulink> of the Configuration Basics article.</para>
    </section>
+
+    <section>
+      <title>Mangle Actions</title>
+
+      <para>Beginning with Shorewall 5.0.7, actions may be used in <ulink
+      url="manpages/shorewall-mangle.html">shorewall-mangle(5)</ulink> and
+      <ulink
+      url="manpages6/shorewall6-mangle.html">shorewall6-mangle(5)</ulink>.
+      Because the rules and mangle files have different column layouts,
+      actions can be defined to be used in one file or the other but not in
+      both. To designate an action to be used in the mangle file, specify the
+      <option>mangle</option> option in the action's entry in <ulink
+      url="manpages/shorewall-actions.html">shorewall-actions</ulink>(5) or
+      <ulink
+      url="manpages6/shorewall6-actions.html">shorewall6-actions</ulink>(5).</para>
+
+      <para>To create a mangle action, follow the steps in the preceding
+      section, but use the
+      <filename>/usr/share/shorewall/action.mangletemplate</filename> file.
+      </para>
+    </section>
  </section>

  <section id="Logging">
--- a/docs/Documentation_Index.xml
+++ b/docs/Documentation_Index.xml
@@ -74,7 +74,7 @@
  <section>
    <title>Documentation for Earlier Versions</title>

-    <para><ulink url="4.2/Documentation_Index.html">Shorewall 4.4/4.6
+    <para><ulink url="4.6/Documentation_Index.html">Shorewall 4.4/4.6
    Documentation</ulink></para>

    <para><ulink url="4.2/Documentation_Index.html">Shorewall 4.0/4.2
--- a/docs/Events.xml
+++ b/docs/Events.xml
@@ -204,7 +204,7 @@
            <para>If the <replaceable>action</replaceable> involves logging,
            then this parameter specifies the disposition that will appear in
            the log entry prefix. If no <replaceable>disposition</replaceable>
-            is given, the log prefix is determines normally. The default is
+            is given, the log prefix is determined normally. The default is
            ACCEPT.</para>
          </listitem>
        </varlistentry>
@@ -258,7 +258,7 @@
            <para>If the <replaceable>action</replaceable> involves logging,
            then this parameter specifies the disposition that will appear in
            the log entry prefix. If no <replaceable>disposition</replaceable>
-            is given, the log prefix is determines normally.</para>
+            is given, the log prefix is determined normally.</para>
          </listitem>
        </varlistentry>
      </variablelist>
@@ -404,7 +404,7 @@
            <para>If the <replaceable>action</replaceable> involves logging,
            then this parameter specifies the disposition that will appear in
            the log entry prefix. If no <replaceable>disposition</replaceable>
-            is given, the log prefix is determines normally.</para>
+            is given, the log prefix is determined normally.</para>
          </listitem>
        </varlistentry>
      </variablelist>
--- a/Show More
+++ b/Show More
				`@@ -1 +0,0 @@`
				`This is the Shorewall-init stable 4.4 branch of Git.`
				`@@ -1 +0,0 @@`
				`This is the Shorewall-lite stable 4.4 branch of Git.`
				`@@ -1 +0,0 @@`
				`This is the Shorewall 4.4 stable branch of Git.`
				`@@ -1 +0,0 @@`
				`This is the Shorewall6-lite stable 4.4 branch of Git.`
				`@@ -1 +0,0 @@`
				`This is the Shorewall6 stable 4.4 branch of Git.`